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Abstract 

System FC, the core language of the Glasgow Haskell Compiler, is 
an explicitly-typed variant of System F with first-class type equality 
proofs called coercions. This extensible proof system forms the 
foundation for type system extensions such as type families (type- 
level functions) and Generalized Algebraic Datatypes (GADTs). 
Such features, in conjunction with kind polymorphism and datatype 
promotion, support expressive compile-time reasoning. 

However, the core language lacks explicit kind equality proofs. 
As a result, type-level computation does not have access to kind- 
level functions or promoted GADTs, the type-level analogues to 
expression-level features that have been so useful. In this paper, 
we eliminate such discrepancies by introducing kind equalities to 
System FC. Our approach is based on dependent type systems 
with heterogeneous equality and the "Type-in-Type" axiom, yet 
it preserves the metatheoretic properties of FC. In particular, type 
checking is simple, decidable and syntax directed. We prove the 
preservation and progress theorems for the extended language. 

Categories and Subject Descriptors F.3.3 [Studies of Program 
Constructs]: Type structure 

General Terms Design, Languages 

Keywords Haskell, Dependent types, Equality 

1. Introduction 

Is Haskell a dependently typed programming language? Many 
would say no, as Haskell fundamentally does not allow expressions 
to appear in types (a defining characteristic of dependently-typed 
languages). However, the type system of the Glasgow Haskell 
Compiler (GHC), Haskell's primary implementation, supports two 
essential features of dependently typed languages: flow-sensitive 
typing through Generalized Algebraic Datatypes (GADTs) (Pey- 
ton Jones et al. 2006; Schrijvers et al. 2009), and rich type- 
level computation through type classes (Jones 2000), type fami- 
lies (Chakravarty et al. 2005), datatype promotion and kind poly- 
morphism (Yorgey et al. 2012). These two features allow clever 
Haskellers to encode programs that are typically reputed to need 
dependent types. 
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However, these encodings cannot accommodate all dependently- 
typed programs. GADTs and type families are supported in FC, 
GHC's typed intermediate language, through the use of first-class 
type equalities (Sulzmann et al. 2007). However, FC lacks first- 
class kind equalities limiting its expressiveness. As a result, GADTs 
cannot be promoted, because the type equalities in their definition 
cannot be lifted to kind equalities. Furthermore, GADTs cannot 
be indexed by kinds, which would require reasoning about kind 
equality. Finally, although type families permit types to be defined 
computationally, the lack of kind equalities means there are no 
kind families in GHC. Although these features seem esoteric, they 
are often necessary for encoding dependently-typed programs in 
GHC (Eisenberg and Weirich 2012). We give concrete examples 
that require these features in Section 2. 

Our goal in this paper is to eliminate such nonuniformities with 
a single blow, by unifying types and kinds. In essence, we augment 
FC's type language with dependent kinds — kinds that can depend 
on types. This process is not without challenges — this dependency 
has complex interactions with type equality. However, our ultimate 
goal is to better support dependently typed programming in GHC, 
and resolving these issues is an critical step. 

Specifically, we make the following technical contributions: 

• We describe an explicitly-typed intermediate language with 
explicit equality proofs for both types and kinds (Sections 3 
and 4). The language is no toy: it is an extension of the System 
FC intermediate language used by GHC (Sulzmann et al. 2007; 
Weirich et al. 201 1; Yorgey et al. 2012; Vytiniotis et al. 2012). 

• We extend the type preservation proof of FC to cover the new 
features (Section 5). The treatment of datatypes requires an im- 
portant property: congruence for the equational theory. In other 
words, we can derive a proof of equality for any form of type 
or kind, given equality proofs of subcomponents. The compu- 
tational content of this theorem, called lifting, generalizes the 
standard substitution operation. This operation is required in the 
operational semantics for datatypes. 

• We prove the progress theorem in the presence of kind coer- 
cions and dependent coercion abstraction. The progress theo- 
rem holds under consistent sets of equality axioms. Our mod- 
ifications require new conditions on axioms to ensure consis- 
tency, and proving consistency requires significant changes to 
the proof from prior work. We discuss these changes and their 
consequences in Section 6. 

We have implemented our extensions to FC in a development 
branch 1 of GHC to demonstrate that our modifications are compat- 
ible with the existing system, and do not invalidate existing Haskell 
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programs. This implementation involves extensions to the core lan- 
guage syntax, type checker and stepper (used in optimizations). 

Although our designs are inspired by the rich theory of depen- 
dent type systems, applying these ideas in the context of Haskell 
means that our language differs in many ways from existing work. 
We detail these comparisons in Section 7. 

The scope of this paper only includes the design and implemen- 
tation of kind equalities in the FC intermediate language; we have 
not yet modified GHC's source language, so promoted GADTs, 
kind-indexed GADTs and kind families are not (yet) available to 
programmers. Although the required syntactic extensions are mi- 
nor, extending GHC's constraint solver requires careful integra- 
tion with existing features. Furthermore, the encodings that work 
around Haskell's restriction that terms cannot appear in types often 
impose heavy syntactic overheads — improved source-level support 
for dependently-typed programming should also address this issue. 
We describe this important future work in Section 8. 

2. Why kind equalities? 

Kind equalities enable new, useful features. In this section we use 
an extended example to demonstrate how kind-indexed GADTs, 
promoted GADTs, and kind families might be used in practice. Be- 
low, code snippets that require kind equalities in their compilation 
to FC are highlighted in gray — all other code snippets compile. 2 

The running example below defines "shallowly" and "deeply" 
indexed representations of types, and shows how they may be 
used for Generic Programming. The former use Haskell's types 
as indices (Crary et al. 1998; Yang 1998), whereas the latter use 
an algebraic datatype (also known as a universe) (Altenkirch and 
McBride 2002; Norell 2002). (Magalhaes (2012) gives more details 
describing how extensions to Haskell, including the ones described 
in this paper, benefit generic programming.) 

Shallow indexing Consider a GADT for type representations: 

data TyRep ::*—>* where 
Tylnt : : TyRep Int 
TyBool : : TyRep Bool 

GADTs differ from ordinary algebraic datatypes in that they 
allow each data constructor to constrain the type parameters to 
the datatype. For example, the Tylnt constructor requires that the 
single parameter to TyRep be Int. 

We can use type representations for type-indexed programming — 
a simple example is computing a default element for each type. 

zero : : V a. TyRep a — > a 

zero Tylnt =0 — 'a' must be Int 

zero TyBool = False — 'a' must be Bool 

This code pattern matches the type representation to determine 
what value to return. Because of the nonuniform type index, pattern 
matching recovers the identity of the type variable a. In the first 
case, because the data constructor is Tylnt, this parameter must be 
Int, so 0 can be returned. In the second case the parameter a must 
be equal to Bool, so returning False is well-typed. 

However, the GADT above can only be used to represent types 
of kind *. To represent type constructors with kind * — > *, such 
as Maybe or [] , we could create a separate datatype, perhaps called 
TyRep 1. However, this approach is ugly and inflexible — what about 
tuples? Do we need a TyRep2, TyRep3, and more? 

We might hope that kind polymorphism (Yorgey et al. 2012), 
which allows datatypes to be parameterized by kind variables as 
well as type variables, could be the solution. For example, the 
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following kind polymorphic type takes two phantom arguments, 
a kind variable k and a type variable a of kind n. 

data Proxy (a : : k) = P 

However, kind polymorphism is not enough to unify the represen- 
tations for TyRep — the type representation (shown below) should 
constrain its kind parameter. 



data TyRep 
Tylnt : 
TyBool : 
TyMaybe : 



: V k. k -> * where 
TyRep Int 
TyRep Bool 
TyRep Maybe 




This TyRep type takes two parameters, a kind k and a type of 
that kind (not named in the kind annotation). The data constructors 
constrain k to a concrete kind. For the example to be well-formed, 
Tylnt must constrain the kind parameter to *. Similarly, TyMaybe 
requires the kind parameter to be * — > *. We call this example a 
kind-indexed GADT because the datatype is indexed by both kind 
and type information. 

Pattern matching with this datatype refines kinds as well as 
types — determining whether a type is of the form TyApp makes 
new kind and type equalities available. For example, consider the 
zero function extended with a default value of the Maybe type. 

zero : : V (a 
zero Tylnt 
zero TyBool 



In the last case, the TyApp pattern introduces the kind variable k, 
the type variables b : : k — ► * and c : : k, and the type equality 
a ~ b c. The TyMaybe pattern adds the kind equality k ~ * and 
type equality b ~ Maybe. Combining the equalities, we can show 
that Maybe c, the type of Nothing, is well-kinded and equal to a. 3 

Deep indexing Kind equalities enable additional features besides 
kind-indexed GADTs. The previous example used Haskell types 
directly to index type representations. With datatype promotion, we 
can instead define a datatype (a universe) for type information. 

data Ty = Tint | TBool 

We can use this datatype to index the representation type. 

data TyRep : : Ty -> * where 
Tylnt : : TyRep Tint 
TyBool : : TyRep TBool 

Note that the kind of the parameter to this datatype is Ty instead 
of * — datatype promotion allows the type Ty to be used as a kind 
and allows its constructors, Tylnt and TyBool, to appear in types. 

To use these type representations, we describe their connection 
with Haskell types via a type family (a function at the type level). 

type family I (t : : Ty) : : * 
type instance I Tint = Int 
type instance I TBool = Bool 

I is a function that maps the (promoted) data constructor Tint to 
the Haskell type Int, and similarly TBool to Bool. 

We can use these type representations to define type-indexed 
operations, like before. 
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zero : : V (a : : Ty) . TyRep a -J- I a 
zero Tylnt = 0 
zero TyBool = False 

Pattern matching Tylnt refines a to Tint, which then uses the type 
family definition to show that the result type is equal to Int. 

Dependently typed languages do not require an argument like 
TyRep to implement operations such as zero — they can match 
directly on the type of kind Ty. This is not allowed in Haskell, 
which maintains a separation between types and expressions. The 
TyRep argument is an example of a singleton type, a standard way 
of encoding dependently typed operations in Haskell. 

Note that this representation is no better than the shallow ver- 
sion in one respect — I must produce a type of kind *. What if we 
wanted to encode TMaybe with Ty? 

To get around this issue, we use a GADT to represent different 
kinds of types. We first need a universe of kinds. 

data Kind = Star | Arr Kind Kind 

Kind is a normal datatype that, when promoted, can be used to 
index the Ty datatype, making it a (standard) GADT. 

data Ty : : Kind — > * where 
Tint : : Ty Star 
TBool : : Ty Star 
TMaybe : : Ty (Arr Star Star) 
TApp : : Ty (Arr kl k2) Ty kl Ty k2 

This indexing means that Ty can only represent well-kinded 
types. For example TMaybe has type Ty (Arr Star Star) and 
TApp TMaybe TBool has type Ty Star, while the value TApp 
Tint would be rejected. Although this GADT can be expressed in 
GHC, the corresponding TyRep type requires two new extensions: 
promoted GADTs and kind families. 

With the current design of FC, only a subset of Haskell 98 
datatypes can be promoted. In particular, GADTs cannot be used 
to index other GADTs. The extensions proposed in this work allow 
the GADT Ty above to be used as an index to TyRep or to be 
interpreted by the type family I, as shown below. 



data TyRep 


(k : : Kind) (t : : Ty k) 


where 


Tylnt 


: TyRep Star Tint 




TyBool 


: TyRep Star TBool 




TyMaybe 


: TyRep (Arr Star Star) 


TMaybe 


TyApp 


: TyRep (Arr kl k2) a — 


TyRep kl b 



We now need to adapt the type family I to work with the new 
promoted GADT Ty. To do so, we must classify its return kind, 
and for that, we need a kind family — a function that produces a 
kind by pattern matching a type or kind argument. For example, we 
can interpret values of the Kind datatype as Haskell kinds like so: 



kind family IK (k : : Kind) 
kind instance IK Star = * 

kind instance IK (Arr kl k2) = IK kl -> IK k2 

This interpretation of kinds is necessary to define the interpre- 
tation of types — without it, this definition does not "kind-check": 

type family I (t : : Ty k) : : IK k 

type instance I Tint = Int 

type instance I TBool = Bool 

type instance I TMaybe = Maybe 

However, once I has been defined, Ty and TyRep can be used 
in type-indexed operations as before. 



zero 


: : V (a : : Ty Star) 


TyRep Star a — 


► I a 




zero 


Tylnt 


0 






zero 


TyBool 


False 






zero 


(TyApp TyMaybe _) = 


Nothing 







The examples above demonstrate all three features that kind 
equalities enable: kind-indexed GADTs, kind families, and pro- 
moted GADTs. While these examples are all derived from generic 
programming, we have also been able to use these features to ex- 
press dependently typed programs from McBride (2012) and Oury 
and Swierstra (2008). We omit these examples for lack of space. 

We note that the Haskell syntax used in the gray boxes above 
is hypothetical, as we have not extended the surface language. 
However, an important first step is to enhance the core language, 
System FC, so that it is expressive enough to support these features. 
We now turn to this task. 

3. System FC 

System FC is the typed intermediate language of GHC. GHC's ad- 
vanced features, such as GADTs and type families, are compiled 
into FC as type equalities. This section reviews the current status 
of System FC, describes that compilation, and puts our work in 
context. FC has evolved over time, from its initial definition (Sulz- 
mann et al. 2007), to extensions FC2 (Weirich et al. 2011), and 
(Yorgey et al. 2012). In this paper, we use the name FC for the 
language and all of its variants. Our technical discussion contrasts 
our new extensions with the most recent prior version, F^,. 

Along with the usual kinds (k), types (r) and expressions (e), 
FC contains coercions (7) that are proofs of type equality. The 
judgement 

T hjo 7 : T"l ~ T2 

checks that the coercion 7 proves types n and T2 equal. These 
proofs are used to change the types of expressions. For example, if 
7 is a proof of n ~ T2, and the expression e has type t\, then the 
expression e t> 7 (pronounced "e casted by 7") has type r 2 . 

Making type conversion explicit ensures that the FC typing re- 
lation T ht m e : r is syntax-directed and decidable. This 
is not the case in the source language; there type checking re- 
quires nonlocal reasoning, such as unification and type class res- 
olution. Furthermore, in the presence of certain flags (such as 
Undecidablelnstances), it may not terminate. 

Straightforward type checking is an important sanity check on 
the internals of GHC — transformations and optimizations must 
preserve typability. Therefore, all information necessary for type 
checking is present in FC expressions. This information includes 
explicit type abstractions and applications (System FC is an exten- 
sion of System F^ (Girard 1972)) as well as explicit proofs of type 
equality. 

For example, type family definitions are compiled to axioms 
about type equality that can be used in FC coercion proofs. A type 
family declaration and instance in source Haskell 

type family Fa::* 

type instance F Bool = Int 

generates the following FC axiom declaration: 

axF : F Bool ~ Int 

When given a source language function of type 

g : : V a. a -> F a ^ Char 

the expression g True 3 translates to the FC expression 

g Bool True (3 > sym axF) 



that instantiates g at type Bool and coerces 3 to have type F Bool. 
The coercion sym axF is a proof that Int ~ F Bool. 

GADTs are compiled into FC so that pattern matching on their 
data constructors introduces type equality assumptions into the 
context. For example, consider the following simple GADT. 

data T : : * — > * where 
Tint : : T Int 

This declaration could have also been written as a normal datatype 
where the type parameter is constrained to be equal to Int. 

data T a = (a ~ Int) => Tint 

In fact, all GADTs can be rewritten in this form using equality 
constraints. Pattern matching makes this constraint available to the 
type checker. For example, the type checker concludes below that 
3 has type a because the type Int is known to be equal to a. 

f : : T a — > a 
f Tint = 3 

In the translation to FC, the Tint data constructor takes this 
equality constraint as an explicit argument. 

Tint : Va: * . (a ~ Int) => T a 

When pattern matching on values of type T a, this proof is avail- 
able for use in a cast. 

/ = Aa: * .Xx: T a. case x of 

Tint (c: a ~ Int) — > (3 > sym c) 

Coercion assumptions and axioms can be composed to form 
larger proofs. FC includes a number of forms in the coercion lan- 
guage that witness the reflexivity, symmetry and transitivity of type 
equality. Furthermore, equality is a congruent relation over types. 
For example, if we have proofs of n ~ T2 and t{ ~ t 2 , then we 
can form a proof of the equality T\ t[ ~ r 2 t 2 . Finally, composite 
coercion proofs can be decomposed. For example, data construc- 
tors T are injective, so given a proof of T T\ ~ T r 2 , a proof of 
ri ~ T2 can be produced. 

Explicit coercion proofs are like explicit type arguments: they 
are erasable from expressions and do not effect the operational 
behavior of an expression. (We make this precise in Section 5.3.) 
To ensure that coercions do not suspend computation, FC includes 
"push rules". For example, when a coerced value is applied to an 
argument, the coercion must be "pushed" to the argument and result 
of the application so that /^-reduction can occur. 

r ho 7 : °"i °"2 ~ Ti — > r 2 _ „ 

: 2— S_PUSH 

(vt>j)e — > (v (e > sym (nth 7))) [> nth 7 

In this rule, if the expression (v > 7) e is well typed, then 7 must 
be a proof of the equality o~\ — > 02 ~ Ti — > Ti. The coercions 
sym (nth 7) and nth 7 decompose this proof into coercions 
for the argument (n ~ 01) and result {02 ~ Ti) of the application. 

4. System FC with kind equalities 

The main idea of this paper is to augment FC with proofs of 
equality between kinds and to use these proofs to explicitly coerce 
the kinds of types. We do so via new type form: if type r has kind 
K\, and 7 is a proof that kind k\ equals kind K2, then r > 7 is type 
r casted to kind n 2 - There are several challenges to this extension, 
which we address with the following technical solutions. 

• Unifying kinds and types. A language with kind polymorphism, 
kind equalities, kind coercions, type polymorphism, type equal- 
ities and type coercions quickly becomes redundant (and some- 
what overwhelming). 
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Type constants 
Arrow 
Type/Kind 
Type constructor 
Promoted data constructor 

Type-level names 
Type variables 
Type functions 
Type constants 

Types and Kinds 
Names 

Polymorphic types 
Coercion abstr. type 
Type/kind application 
Casting 

Coercion application 

Propositions (coercion kinds) 

Coercions 
Variables 

Axiom application 
Reflexivity 
Symmetry 
Transitivity 
Type/kind abstr. cong. 
Coercion abstr. cong. 
Type/kind app. cong. 
Coercion app. cong. 
Coherence 

Type/kind instantiation 
Coercion instantiation 
nth argument projection 
Kind equality extraction 

Type or coercion 

Expressions 
Variables 
Abstraction 
Application 
Type/kind abstraction 
Type/kind application 
Coercion abstraction 
Coercion application 
Casting 

Data constructors 
Case analysis 
Absurdity 

Patterns 

Telescopes 
Empty 

Type variable binding 
Coercion variable binding 



Figure 1. Basic Grammar 



Therefore, we follow pure type systems (Barendregt 1992) and 
unify the syntax of types and kinds, allowing us to reuse type 
coercions as kind coercions. 4 Although there is no syntactic 
distinction between types and kinds, we informally use the 
word type (metavariables r and a) for those members that 
classify runtime expressions, and kind (metavariable re) for 
those members that classify expressions of the type language. 

As in pure type systems, types and kinds share semantics — 
there is a common judgement for the validity of both. Further- 
more, our rules include the *:* axiom which means that there 
is no real distinction between types and kinds. This choice sim- 
plifies many aspects of the language design. 

Languages such as Coq and Agda avoid the *:* axiom because 
it introduces inconsistency, but that is not an issue here. The FC 
type language is already inconsistent in the sense that all kinds 
are inhabited. The type safety property of FC depends on the 
consistency of its coercion language, not its type language. See 
Section 6 and Section 7 for more discussion of this issue. 5 

Making type equality "heterogeneous ". As kinds classify types, 
kind equality has nontrivial interactions with type equality. 

Because kind coercions are explicit, there are equivalent types 
that do not have syntactically identical kinds. Therefore, like 
McBride's "John Major" equality (2002), our definition of type 
equality n ~ r 2 is heterogeneous — the types T\ and t 2 could 
have kinds rei and re 2 that have no syntactic relation to each 
other. A proof 7 of T\ ~ r 2 implies not only that n and t 2 
are equal, but also that their kinds are equal. The new coercion 
form kind 7 extracts the proof of Ki ~ re 2 from 7. 

Another difficulty comes from the need to equate polymorphic 
types that have coercible but not syntactically equal kinds for 
the bound variable. We discuss the modification to this coercion 
form in Section 4.3.1. 

Coercion irrelevance. Coercions should be irrelevant to both 
the operational semantics and type equivalence. The fact that a 
coercion is used to change the type of an expression, or the kind 
of a type, should not influence the evaluation of the expression 
or the equalities available for the type. For the former, we 
maintain irrelevance by updating FC's "push rules" to the new 
semantics (see Section 5 for details). For the latter, we carefully 
construct our coercion forms to ignore coercions inside types 
(Section 4.3.2). 

Dependent coercion abstraction. As in prior versions of FC, 
coercions are first class — they can be passed as arguments to 
functions and stored in data structures (as the arguments to 
data constructors of GADTs). However, this system differs from 
earlier versions in that the type form for these objects, written 
V c: <f>. t, names the abstracted proof with the variable c and 
allows the type r to refer to this coercion. 

This extension is necessary for some kind-indexed GADTs. For 
example, consider the following datatype, which is polymor- 
phic over a kind and type parameter. 



data T 
K : : 



V k. 
V (b : 



*) 



* where 
b -> T b 



4 GHC already uses a shared datatype for types and kinds, so this merge 
brings the formalism closer to the actual implementation. 

5 If a consistent type language were desired for FC for other reasons, we be- 
lieve that the ideas presented in this paper are adaptable to the stratification 
of * into universe levels (Luo 1994), as is done in Coq and Agda. 



The single data constructor K constrains the kind to be * but 
does not otherwise constrain the type. 

After translation, the data constructor should be given the fol- 
lowing FC type, where the abstracted kind coercion c is used to 
cast the kind of the parameter k. 

K:Vfc:*, b:k.\/c:(k~-k).(bi>c)^Tkb 
4.1 Type system overview 

The next few subsections go into more detail about these technical 
points. We start with a quick tour of the type system. 

The new syntax for FC appears in Figure 1 ; forms that are new 
or modified in this paper are highlighted — these modifications are 
primarily in the type and coercion languages. Also, note that * is 
a new type constant and re is a metavariable for types. The only 
difference in the grammar for expressions is that type abstractions 
and kind abstractions have been merged. In general, the type system 
and operational semantics for the expression language is the same 
here as in prior versions of FC. 

A context T is a list of assumptions for term variables (a:), type 
variables/datatypes/data constructors (w), coercion variables (c), 
and coercion axioms (C). 

r ::=0 I T, x:t | T, w: re | T, c:<f> \ T, C: VA.0 

The type system includes the following judgements: 



r hty T ■ K 

r h pr <f> ok 

r Km e : t 
Thol : 4> 



Context validity 
Type/kind validity 
Proposition validity 
Expression typing 
Coercion validity 



(Figure 5) 
(Figure 2) 
(Figure 3) 
(appendix) 
(Figure 4) 



r htei p <= A Telescope arg. validity (appendix) 

Each of the judgements is syntax directed: given the information 
before the colon (if present), a simple algorithm determines if the 
judgement holds, and recovers the information after the colon. 

4.2 Type and kind formation 

We next describe our extensions and modifications to the rules 
classifying FC types into kinds, which appear in Figure 2. Some 
of these rules are unchanged or only slightly modified from prior 
versions of FC. 

For example, rule K_VAR looks up the kind of a type-level 
name from the typing context. Unlike previous systems, this rule 
now covers the kinding of promoted constructors, since w ranges 
over them. Recall that datatype promotion allows data constructors, 
such as Tint, to appear in types and be the arguments of type 
functions. Previously, the types of data constructors had to be 
explicitly promoted to kinds (Yorgey et al. 2012). Now, any data 
constructor may freely be used as a type. When the constructor is 
used as a type, its kind is the same as the type of the constructor 
when used as a term. 

Rule K_ARROW gives the expected kind for the arrow type con- 
structor. We use the usual syntactic sugar for arrow types, writing 
Ti — > T2 for (— >•) Ti t 2 . Note that the kind of the arrow type con- 
structor is itself an arrow type. However, that circularity does not 
cause difficulty. After that, the rule K_AllT describes when poly- 
morphic types are well formed. 

The next two rules describe when type application is well- 
formed. Application is overloaded in these rules, but the system 
is still syntax-directed — the type of the first component determines 
which rule applies. We do not combine function types g\ — > <r 2 
and polymorphic types V a: re. a into a single form because of type 
erasure: term arguments are necessary at runtime, whereas type ar- 
guments may be erased. Although this distinction is meaningless at 



r ht v r : ft 



rh co7 : 



hwf r w: k g r 
r ht y w : ft 

hif r 



K_VAR 

K.Arrow 



r hty (->) : ★->•★->•★ 
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Figure 2. Kind and type formation rules 



T hjy cti : fti 

T hty (72 : K 2 
r hp r (Tl ~ (T 2 Ok 



Prop.Equality 



Figure 3. Proposition formation rule 



the kind level, it is benign. Identifying these forms at the kind level 
while retaining the distinction at the term level would needlessly 
complicate the language. 

The rules KJStarInStar, KXast and K_C APP and K_AllC 
check the new type forms. The first says that * has kind *. 

To preserve the syntax-directed nature of FC, we must make the 
use of kind equality proofs explicit. We do so via the new form r > 7 
of kind casts: when given a type r of kind fti and a proof 7 that kind 
fti equals kind ft 2 , the cast produces a type of kind ft 2 . Because 
equality is heterogeneous, the K_CAST rule requires a third premise 
to ensure that the new kind has the correct classification, so that 
inhabited types have kind 

To promote GADTs we must be able to promote data construc- 
tors that take coercions as arguments, requiring the new application 
form r 7. For example, the data constructor Tint (from Section 3) 
requires a type argument r and a proof that r ~ Int. Note that there 
is no type-level abstraction over coercion — the form r 7 can only 
appear when the head of r is a promoted datatype constructor. 

4.3 Coercions 

Coercions are proof terms witnessing the equality between types 
(and kinds), and are classified by propositions <fi. The rules under 
which the proofs can be derived appear in Figure 4, with the validity 
rule for <f> appearing in Figure 3. These rules establish properties of 
the type equality relation: 
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Figure 4. Coercion formation rules 
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• Equality is an equivalence relation, as seen in rules CT_REFL, 
CT_Sym, and CT.TRANS. 

• Equality is congruent — types with equal subcomponents are 
equal. Every type formation rule (except for the base cases like 
variables and constants) has an associated congruence rule. The 
exception is kind coercion r > 7, where the congruence rule is 
derivable (see Section 4.3.2). The congruence rules are mostly 
straightforward; we discuss the rules for quantified types (rules 
CT_ALLT and CT.AllC) in Section 4.3.1. 

• Equality can be assumed. Coercion variables and axioms add 
assumptions about equality to the context and appear in proofs 
(using rules CT_VAR and CT_AxiOM respectively). These ax- 
ioms for type equality are allowed to be axiom schemes — they 
may be parameterized and must be instantiated when used. 

The general form of the type of an axiom, C: V A. <f> gathers 
multiple parameters in a telescope, a context denoted with A of 
type and coercion variables, each of which scope over the re- 
mainder of the telescope as well as the body of the axiom. We 
specify the list of instantiations for a telescope with p, a mixed 
list of types and coercions. When type checking an axiom ap- 
plication, we must type check its list of arguments p against 
the given telescope. The judgement form T hf e i ~p <= A (pre- 
sented in the appendix) checks each argument p in turn against 
the binding in the telescope, scoping variables appropriately. 

• Equality can be decomposed using the next six rules. For exam- 
ple, because we know that datatypes are injective type func- 
tions, we can decompose a proof of the equivalence of two 
datatypes into equivalence proofs for any pair of correspond- 
ing type parameters (CT_Nth). Furthermore, the equivalence 
of two polymorphic types means that the kinds of the bound 
variables are equivalent (CT_Nth1TA), and that all instanti- 
ations of the bound variables are equivalent (CTJNST). The 
same is true for coercion abstraction types (rules CT_NTH 1 C A, 
CTJNTH2CA, and CT INSTC). 

• Equality is heterogeneous. If 7 is a proof of the equality n ~ 
r 2 , then kind 7 extracts a proof of equality between the kinds 
of T\ and T2 . 

4.3.1 Congruence rules for quantified types 

In prior versions of FC, the coercion Va: K.7 proved the equality 
proposition V a: k. n ~ V a: Hi. Ti, using the following rule: 

r ht y K : * r, a: k h co 7 : n ~ r 2 ct AllJX 
rh co Va:K.7 : (Vkk.Ti) ~ (Va:K.T 2 ) 

This rule sufficed because the only quantified types that could be 
shown equal had the same syntactic kinds n for the bound variable. 
However, we now have a nontrivial equality between kinds. We 
need to be able to show a more general proposition, V a: Ki . Ti ~ 
V a: K2 - T2, even when ki is not syntactically equal to ki. 

Without this generality, the language does not satisfy the 
preservation theorem, which requires that the equality relation be 
substitutive — given a valid type a where a appears free, and a proof 
T ho 7 : Ti ~ T2, we must be able to derive a proof between 
a[ri/a] and afo/a]. For this property to hold, if a occurs in the 
kind of a quantified type (or coercion) variable V b: a.T, then we 
must be able to derive V b: T\ . r ~ V b: Ti . r. 

Rule CT_AllT shows when two polytypes are equal. The first 
premise requires a proof 77 that the kinds of the bound variables 
are equal. But, these two kinds might not be syntactically equal, so 
we must have two type variables, ai and a 2 , one of each kind. The 
second premise of the rule adds both bindings a\: K\ and a 2 : k 2 
to the context as well as an assertion c that a\ and 02 are equal. 



The polytypes themselves can only refer to their own variables, as 
verified by the last two premises of the rule. 

The other type form that includes binding is the coercion ab- 
stractions, V c: (j>. t. The rule CT_AllC constructs a proof that 
two such types of this form are equal. We can only construct 
such proofs when the abstracted propositions relate correspond- 
ingly equal types, as witnessed by proofs 771 and 7/2. The proof 
term introduces two coercion variables into the context, similar to 
the two type variables above. Due to proof irrelevance, there is no 
need for a proof of equality between coercions themselves. Note 
that the kind of ci is not that of 771 : the kind of ci is built from 
types in both r/i and 772. 

The rule CT_AllC also restricts how the variables ci and C2 
can be used in 7. The premises c\ # | — y | and C2 # I7I prevent these 
variables from appearing in the relevant parts of 7. (The freshness 
operator # requires its two arguments to have disjoint sets of free 
variables.) This restriction stems from our proof technique for the 
consistency of this proof system; we define the erasure operation 
■ I and discuss this issue in more detail in Section 6. 

4.3.2 Coercion irrelevance and coherence 

Although the type system includes a judgement for type equality, 
and types may include explicit coercion proofs, the system does 
not include a judgement that states when two coercions proofs 
are equal. The reason is that this relation is trivial — all coercions 
should be considered equivalent. As a result, coercion proofs are 
irrelevant to type equality. 

This "proof irrelevance" is guaranteed by several of the coer- 
cion rules. Consider the congruence rule for coercion application, 
CT_CAPP: there are no restrictions on 72 and 72 other than well- 
formedness. Another example is rule CTJnstC — again, no rela- 
tion is required between the coercions 71 and 72. 

Not only is the identity of coercion proofs irrelevant, but it is 
always possible to equate a type with a casted version of itself. 
The coherence rule, CT_COH, essentially says that the use of kind 
coercions can be ignored when proving type equalities. Although 
this rule seems limited, it is sufficient to derive the elimination and 
congruence rules for coerced types, as seen below. 

r hco 7 : r i ~ r 2 r hty Tl > T)\ \ Ki T hty T2 > r?2 : K-2 
r h co (sym ((sym 7) > 772)) > 771 : n > 771 ~ t 2 > 772 

(Again, note that there is no relation required between 771 and 772.) 
We use the syntactic sugar 7 > 771 ~ 772 to abbreviate the coercion 
(sym ((sym 7) 0772)) >??i. 

Likewise, coherence derives a proof term for decomposing 
equalities between coerced types. 

r ri 0 7 : r i > 71 ~ r 2 > 72 

r h co sym ((n) > 71) 9 7 9 (r 2 ) > 72 : n ~ t 2 
4.4 Datatypes 

Because we focus on the treatment of equality in the type language, 
we omit most of the discussion of the expression language and its 
operational semantics. However, since we have collapsed types and 
kinds, we must revise the treatment of datatypes, whose construc- 
tors can contain types and kinds as arguments. Previously, the ar- 
guments to datatype constructors were ordered with all kind argu- 
ments occurring before all type arguments (Yorgey et al. 2012). 
In this language, we cannot divide up the arguments in this way. 
Therefore, we again use the technique of telescopes to describe the 
more complex dependency between arguments. 

The validity rules for contexts (see Figure 5) restrict datatype 
constants T to have kind V ~oTk. *. We call the variables a the 
parameters of the datatype. For example, the kind of the datatype 
List is V a: *. * and the kind of the datatype TyRep (the first version 
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Figure 5. Context formation rules (excerpted) 



from Section 2) is Vfc *, t: fc. *. Furthermore, datatypes can only 
be parameterized by types and kinds, not coercions. 

Likewise, the same validity rules force data constructors K to 
have types/kinds of the form 



VaTTt. V A. (a 



To) 



Each data constructor K must produce an element of T applied 
to all of its parameters oTk. Above, the form V A. r is syntactic 
sugar for a list of nested quantified types. The scope of the bound 
variables includes both the remainder of the telescope A and the 
form within the quantification (in this case, a — > T~a). 

The telescope A describes the existential arguments to the data 
constructor. These arguments may be either coercions or types, and 
because of the dependency, must be allowed to freely intermix. 
For example, the data constructor Tylnt from Section 2 (a data 
constructor belonging to TyRep : Vfc*, t: fc.*) includes two 
coercions in its telescope, one asserting that the kind parameter k 
is *, the second asserting that the type parameter t is Int: 

Tylnt : Vfc*, t: k. V c\: k ~ *, c 2 : t ~ Int. TyRep kt 

Likewise, the data constructor TyApp existentially binds k! , a, 
b, and c — one kind and two type variables followed by a coercion. 

TyApp : Vfc: *, t: fc.Vfc': *, a: k! — > k, b: fc', c:t ~ ab. 
TyRep (fc' — > fc) a — ► TyRep fc' b TyRep fc i 

A datatype value is of the form K rpe, where r denotes the 
parameters (which cannot include coercions), p instantiate the ex- 
istential arguments, and e is the list of usual expression arguments 
to the data constructor. 

5. The "push" rules and the preservation theorem 

Now that we have defined our extensions, we turn to the metafhe- 
ory: preservation and progress. While the operational semantics is 
largely unchanged from prior work, we detail here a few key dif- 
ferences. The most intricate part of the operational semantics of 
FC are the "push" rules, which ensure that coercions do not inter- 
fere with the small step semantics. Coercions are "pushed" into the 
subcomponents of values whenever a coerced value appears in an 
elimination context. System FC has four push rules, one for each 
such context: term application, type application, coercion applica- 
tion, and pattern matching on a datatype. The first three are straight- 
forward and are detailed in previous work (Yorgey et al. 2012). In 
this section, we focus on pattern matching and the S_KPUSH rule. 

5.1 Pushing coercions through constructors 

When pattern matching on a coerced datatype value of the form 
K t p e > 7, the coercion must be distributed over all of the argu- 
ments of the data constructor, producing a new scrutinee K t' p' e' 
as shown in Figure 6. In the rest of this section, we explain the rule 



by describing the formation of the lifting context * and its use in 
the definition of r', p' and e'. 

The S_KPUSH rule uses a lifting operation *(•) on expressions 
which coerces the type of its argument (e in Figure 6). For example, 
suppose we have a data constructor K of type Va: *.Fa4 T a 
for some type function F and some type constructor T. Consider 
what happens when a case expression scrutinee (K Int e)>7, where 
7 is a coercion of type T Int ~ Tt'. The push rule should convert 
this expression to K r' (e > 7') for some new coercion 7' showing 
F Int ~ F t'. To produce 7', we need to lift the type Fa to a 
coercion along the coercion nth 1 7, which shows Int ~ r'. 

In previous work, lifting was written a [a i->- 7] , defined by anal- 
ogy with substitution. Because of the similar syntax of types and 
coercion proofs, we could think of lifting as replacing a type vari- 
able with a coercion to produce a new coercion. That intuition holds 
true here, but we require more machinery to make this precise. 

Lifting contexts We define lifting with respect to a lifting context 
^, which maps type variables to triples (ti,T2,7) and coercion 
variables to pairs (771 , 772 ) . The forms n and 771 refer to the original, 
uncoerced parameters to the data constructor (Int in our example). 
The forms ti and 772 refer to the new, coerced parameters to the 
data constructor (like r' in our example). Finally, the coercion 7 
witnesses the equality of n and ti. No witness is needed for the 
equality between 771 and 772 — equality on proofs is trivial. 

The lifting operation is defined by structural recursion on its 
type argument. This operation is complicated by type forms that 
bind fresh variables: V a: n. r and V c: cj>. r. Lifting over these types 
introduces new mappings in the lifting context, marked with >A. 

*::=0 I *, o:k ^ (ti,t 2 ,7) | *, c: 0 ^ (71, 72) 
a: k A (01, (to, c) I c: 4> iA (ci, 02) 

(We use the notation i-> to refer to a mapping created either with 
M> or with A.) A lifting context * induces two multisubstitutions 
and * 2 (-)> as follows: 

Definition 5.1 (Lifting context substitution). and $2(-) are 

multisubstitutions, applicable to types, coercions, telescopes, typ- 
ing contexts, and even other lifting contexts. 

1. For each o:k4 (ti, T2, 7) in "J/, ^i(-) maps a to n and^2{-) 
maps a to r 2 . 

? 

2. For each c: <j> v-¥ (71, 72) in ^i(-) maps c to 71 and 
maps c to 72. 

Now, we can now state the judgement form Y he A «™» 
shown in Figure 7, which defines when a lifting context is valid 
and compatible with a given telescope. 

The two substitution operations satisfy straightforward substi- 
tution lemmas, defined and proved in the appendix. The usual sub- 
stitution lemmas, which substitute a single type or coercion, are a 
direct corollary of these lemmas. 
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Figure 7. Lifting context validity 



We can now define lifting: 6 

Definition 5.2 (Lifting). We define the lifting of types to coercions, 
written *(r), by induction on the type structure. The following 
equations, to be tried in order, define the operation. (Note that the 
last line uses the syntactic sugar introduced in Section 4.3.2.) 



^f(a) = 7 when a: n H» (n, t 2 , 7) G * 

*(r) = (r) when r # dom(^>) 

*(tiT 2 ) = *(ti) *(t 2 ) 

*(r 7 ) =*(r)(*i(7),*2(7)) 

*(Va:K.r) = V* (K) (ai, a 2 , c).*'(t) 

wftere $' = $,a:KH (01, a 2 , c) 

and 01, a 2 , c are fresh 
*(Vc:ai ~ o- 2 . r) = V(*( <T1 ),* (<T2 ))(ci, c 2 ).*'(t) 

vv/iere = c: ai ~ 02 A (ci, c 2 ) 

anrf ci, C2 are fresh 
*(r>7) = *(r) > *i(7) ~ ^2(7) 

The lifting lemma establishes the correctness of the lifting op- 
eration and shows that equality is congruent. 

Lemma 5.3 (Lifting Lemma). If ^ is a valid lifting context for 
context r and the telescope A, and T, A hy t : K, then 

rh to f(r) : *i(r)~* 2 (r) 

Lifting context creation In the S_KPUSH rule, the actual context 
* used for lifting is built in two stages. First, context^) defines a 
lifting context with coercions for the parameters to the datatype. 

Definition 5.4 (Lifting context generation). // V \- co 7 : T a ~ 
T a' , and T: V HTk. * £ T, where the lists a, o', and ~5a~k are all 
of length n, then define context (7) as 

: iGl..n 

context(7) = a i \K l i-> (at, a' iy nth 1 7) 

Intuitively, (context(7))i(r) replaces all parameters a in r 
with the corresponding type on the left of ~ in the type of 7. Simi- 
larly, (context(7)) 2 (r) replaces a with the corresponding type on 
the right of ~. 

6 This definition is not just for the proof — it is implemented in GHC as part 
of the optimizer to reduce case expressions. 



The lifting context that results from this coercion is compatible 
with the parameters of the datatype. More precisely: 

Lemma 5.5 (Lifting context specification). IfT \- co 7 : T a ~ 
T t , and T: V oTk. * G T then T hr c aTK «™» context(7). 



Proof. Straightforward induction. 



□ 



Next, this initial lifting context is extended with coercions using 
the operation extend(-), which adds mappings for the variables in 
A, the existential parameters to the data constructor K. Due to 
the dependency, we define the operation recursively. The intuition 
still holds: (extend(*; p; A))i(r) replaces free variables in r with 
their corresponding "from" types, while (extend(\I/;p; A)) 2 (t) 
replaces a variables with their corresponding "to" types. 

Definition 5.6 (Lifting context extension). Define the operation of 
lifting context extension, written extend(*; p; A), as: 

extend(*; 0; 0) = * 

extend(>]/;p, r; A, a: k) = 

cl\ Kj 1 — ^ (t, t t> *'(«;), sym ((r) > *'(«))) 
where *' = extend (<J>; p; A) 
extend(>]/; p, 7; A, c:cri~cr 2 ) = 

c: 0-1 ~ 0-2 i-> (7, sym (*'(ffi)) 9 7 9 *'(ff2)) 
wfrere *' = extend (*;p; A) 

5.2 Type preservation 

Now that we have explained the most novel part of the operational 
semantics, we can state the preservation theorem. 

Theorem 5.7 (Preservation). // Y h{ m e : r and e — > e' then 
T ht m el : t. 

The proof of this theorem is by induction on the typing deriva- 
tion, with a case analysis on the small-step. Most of the rules 
are straightforward, following directly by induction or by substi- 
tution. The "push" rules require reasoning about coercion propaga- 
tion. We include the details of the rules that differ from previous 
work (Weirich et al. 2010) in the appendix. 

5.3 Correctness of push rules: The type erasure theorem 

We care not only that the push rules preserve types, but that they do 
"the right thing." Do these rules reduce to no-ops if we erase types 
and coercions? 

To state this formally, we define an erasure operation | ■ | over 
expressions. This operation erases types, coercions, and equality 
propositions to trivial forms » ty , » co and •prop and removes all casts. 
The full definition of this operation appears in the appendix, and we 
present only the interesting cases here: 

|er| = |e|» ty |e-y| = |e| •„ |et>7| = |e| 

With this operation, we can state that erasing types, coercions and 
casts does not change how expressions evaluate e. 



Theorem 5.8 (Type erasure). If e 

\e\ — »• le'l. 



e', then either I 



6. Consistency and the progress theorem 

The proof for the progress theorem follows the same course as in 
previous work (Weirich et al. 2010). The progress theorem holds 
only for closed, consistent contexts. A context is closed if it does 
not contain any expression variable bindings — as usual, open ex- 
pressions could be stuck. We use the metavariable E to denote 
closed contexts. 

Theorem 6.1 (Progress). Assume E is a closed, consistent context. 
If E hf m ei : t and e\ is not a value v or a coerced value v t> 7, 
then there exists an e2 such that ei — > e 2 . 



The definition of consistent contexts is stated using the notions 
of uncoerced values and their types, value types. Formally, we 
define values v and value types £, with the following grammars: 

v ::— \x: a. e j Aa: k. e | Ac: <j>. e \ K f p e 
£ ::= (7i -> (72 | V a: n. a | V c: <f>. a \ T a 

The canonical forms lemma tells us that the shape of a value is 
determined by its type: 

Lemma 6.2 (Canonical Forms). Say S ht m v : a. Then a is a 
value type. Furthermore, 

1. If g = 0"i — ¥ 0"2 then v is Ax: o~\. e or K r pe. 

2. If a = V a: n. a' then v is Aa: k. e or K t p~e. 

3. If a = V c: (f>. a' then v is Ac: T\ ^ t 2 . e or K Tpe. 

4. If a = T t then v is K t pe. 

Definition 6.3 (Consistency). A context F is consistent if£i and £2 
have the same head form whenever F ho 7 : £1 ~ £2- 

Although the extensions in this paper have little effect on the 
structure of this proof compared to prior work, there is still work 
to do: we need an new notion of acceptable contexts to allow kind 
equalities, and we must prove that these contexts are consistent. 

Our consistency argument proceeds in four steps: 

1. Because coercion proofs are irrelevant to type equivalence, we 
start with an implicitly coerced version of the language, where 
all coercion proofs have been erased. Derivations in the explicit 
language can be matched up with derivations in the implicit 
language (Definition 6.4) so showing consistency in the latter 
implies consistency in the former. 

2. We define a rewrite relation that reduces types in the implicit 
system by firing axioms in the context (Figure 8). 

3. We specify a sufficient condition, which we write GoodT 
(Definition 6.6), for a context to be consistent. This condition 
allows the axioms produced by type and kind family definitions. 

4. We show that good contexts are consistent by arguing that the 
joinability of the rewrite relation is complete with respect to 
the implicit coercion proof system. Since the rewrite relation 
and erasure preserve the head form of value types, this gives 
consistency for both the implicit and explicit systems. 

Since we don't want consistency to depend on particular proofs 
of kind equality, we prove our results with an implicit version of the 
type language. This implicit language elides coercion proofs and 
casts from the type language, and has judgements (denoted with a 
turnstile |=) analogous to the explicit language but for a few key 
differences where coercions are dropped from types. 

First, the use of kind coercions are no longer explicitly marked 
in types. 

r 1= t : k F \= 7 : k ~ k' r 1= k' : * 

1 ^7 IT.Cast 

T |= r : k' 

Note that this system is no longer syntax directed — a type may have 
several syntactically different kinds. This is not a problem, as we 
use this system as a proof device for progress only. 

Second, the coercion in an application is erased to •co. 

r 1= t : V c: 4>. k F \= 7 : <f> 

1 : — 1 — IT CAPP 

T |= r •co : K 

(In general, we use •co to represent an elided coercion proof.) 

We define coercion proofs between erased types in a similar 
fashion. Most of the rules carry over from the explicitly typed 
system, but there are three major differences. First, the implicit 
language does not include a coherence rule as there are no explicit 
casts. In the explicit language, given a coercion proof F ho 7 : 



t ~ t', the coherence rule was used to construct a proof 7 t> 7' 
where the kind of the first type r is changed, by applying a cast 
r t> 7'. However, we can accomplish this in the implicit language, 
by using IT_CAST to implicitly cast the kind of r using coercion 
7'. 

Second, the coercion application congruence rule is modified in 
accordance with coercion erasure. 

F |= 7 : t ~ t' 

r| r r,c ° : * r ^'«~ : ij ICT CAPP 

r |= 7(»co, •co) : T »co ~ t' » co 

This rule says that if two erased coercion applications are well 
formed, then if the two erased coercion abstractions are equal, there 
is a proof that the two applications are equal. 

The final difference is in the rule for coercion abstractions: The 
requirement that ci and C2 not appear in the (erased) coercion proof 
7 is for purely technical reasons (see below). 

To connect the explicit and implicit systems, we define an era- 
sure operation: 

Definition 6.4 (Coercion Erasure). Given an explicitly typed term 
t or coercion 7, we define its erasure, denoted |r| or by- 
induction on its structure. The interesting cases follow : 

= M 17(71,72)1 = M (•«,•») 

\tj\ = |t|« co |7>7'l = \l\ 

|7@( 7 ',7")| = |7l@(»co,»co) 

All other cases follow by simply propagating the \ ■ \ operation 
down the abstract syntax tree. (The full definition of this operation 
appears in the appendix.) 

We further define the erasure of a context F, denoted \F\, by 
erasing the types and equality propositions of each binding. 

Lemma 6.5 (Erasure is type preserving). If a judgement holds in 
the explicit system, the judgement with coercions erased throughout 
the context, types and coercions is derivable in the implicit system. 

1. IfhjfFthen \= \F\. 

2. IfF ht y r : k then \F\ \= \r\ : 

3. IfF\- pr <t>okthen\F\ |= \<f>\ ok. 

4. IfF ho 7 = <t>then\F\ |= | 7 | : |# 

5. 7/r h tel p A then \V\ \= \p\ : |A|. 

We define a nondeterministic rewrite relation on open implicit 
types in Figure 8. We say that <7i is joinable with (72, written 
T |= (7i <4> (72, when both can multi-rewrite to a common reduct. 

Consistency does not hold in arbitrary contexts, and it is difficult 
in general to check whether a context is inconsistent. Therefore, 
like in previous work (Weirich et al. 2010), we give sufficient 
conditions written Good F, for a context to be consistent. Since 
we are working with the implicit language, these conditions are 
actually for the erased context. 

Definition 6.6 (Good contexts). We have Good F when the fol- 
lowing conditions hold: 

1. All coercion assumptions and axioms in F are of the form 
C: V A. [F t ~ r') or of the form c: di ~ 02- In the first form, 
the arguments to the type function must behave like patterns: for 
all p, every t< £ T and every t[ such that F |= Tj[p/A] ~? t[, 
there exists p' such that r[ = Ti[p' /A] and F \= a m ~-> a' m for 
each a, n G p and a m G p . 

2. Axioms and coercion assumptions don 't overlap. For each F f, 
there exists at most one prefix fT of t such that there exist C 
and p where C: V A. F Oq ~ o\ G F and t± — ao[p/ A}. 
These C and p are unique for every matching F T\. 

3. For each a, there is at most one assumption of the form c: a ~ 
a or c: a' ~ a, and a 7^ a'. 



r |= t ~» t' 



TS_Refl 



r |= t t 
r, r' |= « ~-> k! r, c-. a\ ~ 02, r' |= o- —> a' 

r,T' )=Vai:«;.fr-^Va2:«;'.fr' 

r |= n ~-> t[ f |= T2 ~-> t' 2 f |= a- ~> a' 

F |= V c: n ~ T2 . cr V c: t{ ~ Tj . cr' 
C: VA. (Ft ~ t') G T 



TS_AllT 



TS_AllC 



<xi=t[?/A] a;=r'[p/A] 
r |= F oT ^ <ri 

c: a ~ r G T 



TS_Red 



r |= a t 
F |= r t' F |= cr cr' 



TS_VarRed 



r |= r cr r' a' 

r |= t ~» t' 

r |= r •„ ~» t' •co 



TS_APP 



TSXApp 



Figure 8. Rewrite relation 



4. Axioms equate types of the same kind. For each C: V A. (F r ~ 
t') in r, fne kinds of each side must equal: for some n, F, A \= 
F ' t : k and F, A |= r' : K and frca? fa'nd mi«f no? mention 
bindings in the telescope, F \= k : *. 

The main lemma required for consistency is the completeness 
of joinability. Here, we write fcv(j) C dom F' to indicate that all 
coercion variables and axioms used in 7 are in the domain of F'. 

Lemma 6.7 (Completeness). Suppose that F |= 7 : 01 ~ 02, 

andfcv(-y) C domF 1 for some subcontext F' satisfying GoodT' . 
77ierc r |= Ui <S4> U2. 

The proof of this theorem appears in the appendix. Here, we 
highlight a technical point about coercions between coercion ab- 
stractions. The completeness proof requires that all coercion vari- 
ables in a coercion 7 must satisfy the requirements of Good con- 
texts. As a result, we need to restrict the coercion abstraction equal- 
ity rule in both the implicit and explicit systems. 



4>i = ci 

02 — cr'i 



01 
1 

0-2 



F \= r/i : <n ~ a[ 
F \= 772 : cr 2 ~ a' 2 
ci # 7 c 2 # 7 
T. ci: 0i, C2: 02 |= 7 : ri ~ T2 
r|=Vci:0i.Ti : * T |= V C2: 02- T2 : ★ 

r 1= V (T)i,r, 2 )( C l> c 2)-7 : (Vci:0i.Ti) ~ (Vc 2 :02.t 2 ) 

In this rule, the variables ci and C2 cannot be used in 7 due 
to the premises c\ # 7 and C2 # 7. (The analogous rule in the 
explicit system includes the premises ci # I7I and C2 # |7|.) This 
restriction is because ci and C2 may be inconsistent assumptions: 
perhaps ci: Int ~ Bool. If we were to introduce these into the 
context, induction would fail. 

The consequence of these restrictions is that there are some 
types that cannot be shown equivalent, even though they are in- 
tuitively equivalent. For example, there is no proof of equivalence 
between the types V c\: Int ~ b. Int and V C2: Int ~ b. b — a coer- 
cion between these two types would need to use ci or C2 . However, 
this lack of expressiveness is not significant — in source Haskell, it 
could only be observed through exotic uses of first-class polymor- 



phism, which are already rare in general. Furthermore, this restric- 
tion already exists in GHC 7 and other dependently-typed languages 
such as Agda and Coq. It is possible that a different consistency 
proof would validate a rule that does not restrict the use of these 
variables. However, we leave this possibility to future work. 

7. Discussion and related work 

Collapsing kinds and types Blurring the distinction between 
types and kinds is convenient, but is it wise? It is well known that 
type systems that include the F h y * : * rule are inconsistent log- 
ics (Girard 1972). Does that cause trouble? For FC the answer is 
no — inconsistency here means that all kinds are inhabited, but even 
without our extensions, all kinds are already inhabited. 

The r Ky * : * rule often causes type checking to be undecid- 
able in dependently typed languages (Cardelli 1986; Augustsson 
1998). This axiom permits the expression of divergent terms — if 
the type checker tries to reduce them it will loop. However, type 
checking in FC is decidable — all type equalities are witnessed by 
finite equality proofs, not potentially infinite reductions. 

At the source language level, which does reduce type expres- 
sions, it is not clear whether adding the T Ky * : * rule could 
cause type inference to loop (in the absence of language extensions 
such as Undecidablelnstances which already make divergence 
possible). However, even though this version of FC combines types 
and kinds, the Haskell source language need not do so (predictable 
type inference algorithms may require more traditional stratifica- 
tion). This gap would not be new — differing requirements for the 
core and surface languages have already led FC to be more expres- 
sive than source Haskell. 

Heterogeneous equality Heterogeneous equality is an essential 
part of this system. It is primarily motivated by the presence of de- 
pendent application (such as rules K_lNST and K_CAPP), where 
the kind of the result depends on the value of the argument. We 
would like type equivalence to be congruent with respect to appli- 
cation, as is demonstrated by rule CT_APP. However, if all equal- 
ities are required to be homogeneous, then not all uses of the rule 
are valid because the result kinds may differ. 

For example, consider the datatype TyRep : V k: * . V b: k. ★. If 
we have coercions F ho 71 : * ~ k and F ho 72 : Int ~ t 
(with T ht y r : k), then we can construct the proof 

T ho (TyRep) 71 72 : TyRep * Int ~ TyRep kt 

However, this proof requires heterogeneity because the first part 
((TyRep) 71) creates an equality between types of different kinds: 
TyRep* and TyRep k. The first has kind whereas the 

second has kind k — > *. 

The coherence rule (CT_COH) also requires that equality be het- 
erogeneous because it equates types that almost certainly have dif- 
ferent kinds. This rule, inspired by Observational Type Theory (Al- 
tenkirch et al. 2007), provides a simple way of ensuring that proofs 
do not interfere with equality. Without it, we would need coercions 
analogous to the many "push" rules of the operational semantics. 

There are several choices in the semantics of heterogeneous 
equality. We have chosen the most popular, where a proposition 
ci ~ o~ 2 is interpreted as a conjunction: "the types are equal 
and their kinds are equal". This semantics is similar to Epigram 
1 (McBride 2002), the HeterogeneousEquality module in the 
Agda standard library, 8 and the treatment in Coq. 9 Epigram 2 (Al- 



7 Currently, coercions between the types (Int ~ b) => Int and (Int 
b) => b are disallowed 

8 http : //wiki .portal . Chalmers . se/agda/agda.php?n= 
Libraries . StandardLibrary 

9 http : //coq. inria. fr/stdllb/Coq. Logic . JMeq.html 



tenkirch et al. 2007) uses an alternative semantics, interpreted as "if 
the kinds are equal then the types are equal". (This relation requires 
a proof of kind equality before coercing types.) Guru (Stump et al. 
2008) and Trellys (Kimmell et al. 2012; Sjoberg et al. 2012) use yet 
another interpretation which says nothing about the kinds. These 
differences reflect the design of the type systems — the syntax- 
directed type system of FC makes the conjunctive interpretation 
the most reasonable, whereas the bidirectional type system of Epi- 
gram 2 makes the implicational version more convenient. As Gu- 
ru/Trellys demonstrate, it is also reasonable to not require kind 
equality. We conjecture that without the kind 7 coercion form, it 
would be sound to drop the fourth condition from Good F. 

Unlike higher-dimensional type theory (Licata and Harper 

2012) , equality in this language has no computational content. Be- 
cause of the separation between objects and proofs, FC is resolutely 
one-dimensional — we do not define what it means for proofs to be 
equivalent. Instead, we ensure that in any context the identity of 
equality proofs is unimportant. 

The implicit language Our proof technique for consistency, 
based on erasing explicit type conversions, is inspired by ICC 
(Miquel 2001). Coercion proofs are irrelevant to the definition of 
type equality, so to reason about type equality it is convenient to 
ignore them entirely. Following ICC* (Barras and Bernardo 2008), 
we could also view the implicit language as the "real" semantics for 
FC, and consider the language of this paper as an adaptation of that 
semantics with annotations to make typing decidable. Furthermore, 
the implicit language is interesting in its own right as it is closer to 
source Haskell, which also makes implicit use of type equalities. 

However, although the implicit language allows type equality 
assumptions to be used implicitly, it is not extensional type theory 
(ETT) (Martin-Lof 1984): it separates proofs from programs so that 
it can weaken the former (ensuring consistency) while enriching 
the latter (with "type-in-type"). As a result, the proof language of 
FC is not as expressive as ETT; besides the limitations on equalities 
between coercion abstractions in Section 6, FC lacks ^-equivalence 
or extensional reasoning for type-level functions. 

Explicit equality proofs In concurrent related work, van Doom, 
Geuvers and Wiedijk (Geuvers and Wiedijk 2004; van Doom et al. 

2013) develop a variant of pure type systems that replaces implicit 
conversions with explicit convertibility proofs. There are strong 
connections to this paper: they too use heterogeneous equality 
and must significantly generalize the statement of a lifting lemma 
(which they call "equality of substitutions"). However, there are 
differences. Their work is based on Pure Type Systems, which gen- 
eralize over sorts, rules and axioms; we only consider a single in- 
stance here. They also show that the system with explicit equalities 
is equivalent to the system with implicit equalities; we only show 
one direction. Finally, as their work is based on intensional type 
theory, it does not address coercion abstraction. Consequently, their 
analogue to rule CT_AllT is the following asymmetric rule. 

r ho V : Ki ~ Ki 

T, an Ki ho 7 : n ~ r 2 [ai > 77/ a 2 ] 

r ht y V 01: K\. Ti : * 

r hty V a 2 : K2 - T2 : * 

— 5 2 -^l CT.ALLTA 

I ho 77 ai: Ki. 7 : (V 01: Ki. n) ~ (V 01: «2- 12) 

We conjecture that in our system, the above rule is equivalent to 
CT_ALLT. 

8. Conclusions and future work 

This work provides the basis for the practical extension of a popu- 
lar programming language implementation. It does so without sac- 



rificing any important metatheoretic properties. This extension is a 
necessary step towards making Haskell more dependently typed. 

The next step in this research plan is to lift these extensions 
to the source language, incorporating these features within GHC's 
constraint solving algorithm. In particular, we plan future language 
extensions in support of type- and kind-level programming, such 
as datakinds (datatypes that exist only at the kind-level), kind syn- 
onyms and kind families. Although GHC already infers kinds, we 
will need to extend this mechanism to generate kind coercions and 
take advantage of these new features. 

Going further, we would like to also like to support a true "de- 
pendent type" in Haskell, which would allow types to mention ex- 
pressions directly, instead of requiring singleton encodings. One 
way to extend Haskell in this way is through elaboration: we be- 
lieve that the translation between source Haskell and FC could au- 
tomatically insert the appropriate singleton arguments (Eisenberg 
and Weirich 2012), perhaps using the class system to determine 
where they are necessary. This approach would not require fur- 
ther extension to FC. Alternatively, Adam Gundry's forthcoming 
dissertation 10 includes n-types in a version of System FC that is 
strongly influenced by an early draft of this work. If elaboration 
does not prove to be sufficiently expressive, Gundry's work pro- 
vides a blueprint for future core language extension. 

In either case the interaction between dependent types and type 
inference brings new research challenges. However, the results 
in this paper mean that these challenges can be addressed in the 
context of a firm semantic basis. 
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A. Additional semantics 

Below, we list a few rules and definitions not included in the main 
discussion. 

A.l Context well-formedness 

These rules ensure that all assumptions in the context are well 
formed and unique. They additionally constrain the form of the 
kinds of datatypes and the types of data constructors, hwf Y 



r hty k : * a # r 
h^f r, a: k 



r h ty K 



h wf r, F: k 

r r- ty VoTTc.* : * T # r 



hwf r, T: V a: K. ★ 

r hty t : k x # r 



GWF_Empty 

GWF_TyVar 
GWF_TyFun 
- GWF_TYDATA 



GWF.Var 



hwf T, x: t 

rhty VoTk.VA. Ta) : * K #T 

hwf T, K:\/oTk.\/ A. (a ^ Ta) 

r h pr 4> ok c # r 



GWF.CON 



r, A hp r 4> ok c # r 



hwf r, C-. va. 



A.2 Telescope argument validity 



GWF.CVAR 
- GWF_Ax 



Tel P 



hit r 



r htel 0 <= \0 

r, A hty k : * a # r, A 

r hty t ■. 4p/A] r h- te i p < 

r hfei p, t <= (A, a: k) 



t2_empty 



t2_const 



r, A hp r <j> ok c # r, A 
Tho-y ■■ 0[p/A] rh tel p< 
rhteip,7^ (A, c:4>) 



T2_CONSG 



(Ac: <7i ~ (72. e) 7 — > e[y/c] 



SXBeta 



A.3 Expression typing and operational semantics 

Expression typing 

h wf T x: T € r 



r htm e : r 



r htm x : T 
T, x: n htm e : r 2 



r htm As: n . e 
T Km e : Ti -S- t 2 



r Km u : n 



r htm e w : r 2 
T, c: 0 htm e : r r hp r 0 ok 



T_VAR 
- T_ABS 

T_App 



r htm Ac: (f>. e : V c: 0. r 
r htm e : V c: <f>. r 



T_CABS 



TXAPP 



rh„ 



r htm e7 : rhy/c] 
r, a: K htm e : r 
r htm Ao: k. e : Vo: k.t 
r h tm e : V a: k. r T ht y r' : k 

rhtm er' : r[r'/a] 
3 : Ti r h co 7 : n ~ r 2 T hjy r 2 



T_TABS 



T_TAPP 



rh t „ 



r htm e > 7 : r 2 

hwf r k-.t e r 

r him if : r 

TV 7 



T_CAST 



TXON 



K l are exhaustive for T 
for each i 

Ki\ V aTTc.^VAj . (77 — > (Ta) G T 
a; = A,jr74 

T, A-, X;: cr£ h tm ii, : r 



T.Case 



r htm case e of if; A^ xr. a\ — > u t : r 

T h co 7 : fli p t ~ tf 2 p 2 fli / #2 
r hw r : * 

— — T -Contra 

f Km contra 7 r : r 

Step reduction, parameterized by toplevel context 



(As: r. e) e' — > e[e'/x] 
ei — ► e( 
ei e 2 — ► e[ e 2 

T h^o 7 : °"1 — ► °"2 ~ Tl — > T 2 



S_Beta 
S_EApp 



(y > 7) e — > (u (e > sym (nth 1 7))) > nth 7 

S.TBETA 



S-PUSH 



(Aa: k. e) r — > e[r/a] 
ei — > e[ 



S_TApp 



ei <r 



e a 



r hio 7 : V a: ki. <}\ ~ V a: k 2 . a 2 
7' = sym (nth 1 7) 

t' = r > 7' 

(u O 7) r — ► (v r') > 7@((t) > 7') 



S.TPUSH 



ei 
ei 7 



e( 7 



S.CAPP 



rh co7 : (V c: 0. t) ~ (V c': 0'. t'; 
7" = nth 1 7 9 7' 9 sym (nth 2 7) 

(v > 7) 7' — ► «j 7" > 7@(7", 7') 



S_CPUSH 



(d > 71) > 7 2 — ► v > (71 ? 72) 



S_COMB 



e > 7 



e' > 7 



SXOERCE 



if, A, Xi-.Gi ^ m e p U 



case Ki r p e of p — > u 



Mi [e/s 8 ] [p/A»] 



SXaseMatch 



case e of p 



case e' of p 



SXASE 



if:VoT7c.VA.CT -> (To) G T 

= extend (context^) ; p; A) 
7^= #2 (a) 
p' = * 2 (dom A) 
for each e 8 G e, 

e'j = ej> ^(cr,) 

case ((K f p e) t> 7) of p — > w — 
case (if r' p' e') of p — > u 



SJCPUSH 



A.4 Erasure operation 



x\ 

\x: t. e 
ei e 2 
A a: k. e\ 
e r 

Ac: 4>. e\ — Ac: « 

ej\ 
e > 7 

*l 

case e of p — > u\ 
contra 7 r 

a| 
H\ 

F\ 
K\ 

V a: re. r| 
Vc:0.r| 
n r 2 

Tl >7| 
Tl7| 

(7i ~ a 2 \ = \<Ti\ 

c\ 

Cp\ 
(r)\ 

syni7| 

7i ?72| 

V^(ai, a 2 , c).7| 

V( I)1 ,^)(ci, c 2 )-7| 

71 72 
7(71,72) 
7 > 7 '| 

7@7'| 
7@( 7 ', 7 ")| 
nth 1 7I 
kind 7 

p\ (where p — r) 
pj (where p = 7) 

0| 

F, a: re| = 
T, c:0| 
T, C: VA.0j 

A.5 Implicit Language Typing 

|= T I Implicit Validity 



x 

Ax: »t y . e 

ei I I e 2 
Aa: »t y . e 
|e|«ty 



'prop- |C| 

|e| »co 

M 
K 

case e | of p — > | u 
contra •co »t y 

a 

F 
K 

Va: |re|. |t| 
Vc:|0|.|r| 
|ri||r 2 | 

In I 

In » co 



1*2 1 

c\p\ 

(M) 

sym 7I 

l7i| 9 I72 

V |„|( a i> 12, c).| 7 | 

V (M.M) (C1 ' C2) - 171 

I71I I72 

|7l(»co,»co) 

|7| 

| 7 |@| 7 '| 

|7l@(»co,«co) 

nth 1 | 7 | 
kind 1 7 



0 

|r|, a:|rej 
|r|, c:|0| 

|r|, C:V|A|.|0| 



r |= k 



— IV.Empty 

= 0 

* a # r 



|= T, a: re 

r |= k : * f # r 

|= T, F: re 

T |=VaT7c.* : * r#r 
|= T, T:VaTre\* 

r |= r : K x#T 



IV_TyVar 



IV.TyFun 



IV _T YD ATA 



IV_VAR 



r |= VaTre.VA. (a ->• T a) : * K#T 
|= r, if: VaTre.VA. (a T^) 

r |= 0 ok c # r 



IV_CON 



N r, c: 0 

r, a |= 0 ok c # r 



r, C-. va.0 



IV_CVAR 



IV_Ax 



r |= <f> ok Implicit coercion kind well-formedness 



r |= (Ti : Ki 
r |= cr 2 : re 2 

r |= (7i ~ (72 ok 



r |= r : re Implicit Kinding 



IP_Equality 



r |= * : ★ 

l=r 



r |= (->•) : *-►*-»•* 

r |= * : * 

|= r «j:k 6 r 



IT_StarInStar 

IT_Arrow 
IT_ArrowK 



IT_Var 



r |= w : K 

r |= Ti : fti — > re 2 r |= r 2 : rei 
r |= Ti r 2 : re 2 

T |= n : V a: rei . re 2 r |= r 2 : Ki 





r|=rir 2 : 


k 2 [t 2 / a] 


r|= 


r : Vcf k 


r |= 7 : 4> 






: re 


r, 


a: re |= r : ★ 


T |= re : * 




r |= V a: re. 


r : * 


r, 


c:4>\= T : * 


r |= <f> ok 



IT_APP 
ITJNST 



ITXApp 
IT_AllT 



r |= V c: 0. t : * 

r |= t : re r |= 7 : re ~ re' T |= re' : * 
r |= r : re' 

Implicit Coercion Typing 



IT.ALLC 



ITXAST 



r |= 7 : t ~ t' 

r |= r» co : re r |= r' » co : 

T |= 7(»co,«co) : t» co ~ r' 



ICT.CAPP 



r |= r/i : CTi ~ a[ fa = (7i ~ cr 2 
r )= ??2 : (72 ~ CT 2 02 = o"i ~ <T 2 

ci # 7 c 2 # 7 

T, ci: 0i, c 2 : 0 2 |= 7 : n ~ T 2 

r|=Vci:0i.Ti : * rj=Vc 2 :0 2 .T 2 : * 

F N V (»?i,i2)( c i, c 2)-7 : (Vci:0i.n) ~ (Vc 2 :0 2 .r 2 ) 

r |= 71 : (V 01: Ki. Ti) ~ (V a 2 : re 2 . r 2 ) 
T |= 7 2 : (7i ~ a 2 
T |= (7i : rei T |= cr 2 : re 2 



ICT_ALLC 



r |= 7i@7 2 : n[(7i/oi] ~ r 2 [(7 2 /a 2 ] 

r |= 7 : (V c: f7i ~ cr 2 . r) ~ (V c': cri ~ a 2 . r' 
r |= 71 : (7i ~ a 2 T |= 7 2 : a[ ~ a 2 

T h7@(»cc«co) : r~r' 



ICTJNST 



ICTJnstC 



r h 7 : 



T |= sym 7 : t 2 ~ Ti 
r |= 71 : Ti ~ r 2 T |= 72 : r 2 ~ r 3 



ICT_REFL 
- ICT_SYM 

ICT.Trans 



r |= 7i 9 72 : T\ ~ r 3 
r |= 71 : "K ~ T2 T |= 72 : Ti ~ r 2 
T |= t{ n : ki T |= r 2 r 2 : /t2 

T |= 71 72 : r{ n ~ r 2 
T |= 77 : Ki ~ K 2 

T, 01: Ki, 02: /t 2 , c: ai ~ a 2 |= 7 : n ~ t 2 
r |= V 01: /ti. Ti : * r \= V 02: K2 . T2 : * 
r |= V 7) (ai, a 2 , c)-7 : (V ai: Ki. n) ~ (V 02: /t 2 . t 2 ) 

c: 4> e r |= r 



ICT_APP 



ICT_AllT 



C-. VA.(n ~r 2 ) err 



ICT_Var 
p : A 



T|= Cp : Ti[p/A]~T 2 [p/A] 
r |= 7 : Ht~Ht' 



ICT_AXI0M 



r |= nth 8 7 : n ~ r? 
r|=7i : (V an Ki. n) ~ (V a 2 : k 2 . t 2 ) 



ICT_Nth 



Y |= nth 1 71 : ki 



ICT_NTHlTA 



K2 



r |= 7 : (V c: Ki ~ k 2 . r) ~ (V c': /ti ~ k' 2 . t') 



r 1=7 


(V 


r |= nth 1 7 : /ti ~ k\ 
c: /ti ~ k 2 . r) ~ (V c': /t'i ~ K 2 . r') 


r 1=7 


Tl 


n = nth 2 7 : /t2 ~ k 2 

~ T"2 r |= Tl : K 2 T = r 2 : K2 






Y |= kind 7 : /ti ~ /t 2 




A 


Implicit telescope argument validity 



ICT_NTHlCA 
ICT_Nth2CA 
ICT_EXT 



It2_empty 



C. Preservation 

This section presents the necessary details for the proof of the 
preservation theorem. The theorem itself is proved by induction 
on the typing derivation with a case analysis of the rule used in the 
operational semantics. Below, we present only three cases, those 
for SJCPUSH, S-TPUSH, and S_CPUSH. These are the only cases 
that differ from the proof described in previous work (Weirich et al. 
2010). We also present many supporting lemmas needed for these 
cases, particularly regarding the treatment of lifting contexts. 

C.l Lifting contexts 

A lifting context contains two types of mappings: those labeled 
with h-> that denote a mapping from type or coercion variables 
to existing types and coercions, and those labeled with A that 
denote a mapping from type or coercion variables to fresh type and 
coercion variables. 

A lifting context is considered valid with respect to a context Y 
and telescope A when the following judgement holds: 

T li c A *™» * Lifting context validity 
l~wf r 

— LC.Empty 

r hr c 0 *™» 0 

rhcA*™»* a # r, a 

ThtyCTi : *i(k) rht y cr 2 : * 2 (/t) 

T ho 7 : (Ti ~ (7 2 

rhr c (A, a:/t) <-~» (*,a:Ri-> (aj, 0-3,7)) 
T he A «™> * c#T, A 

rhcciji : »iQ) rhoV2 ■■ ^2{<t>) 

The (A, c:<j)) <~ » (*,c:^ (v^m)) 

ai#r,A a 2 #r,A c#r,A 

r hr c A «™» * 

LC_TyFresh 



r, A |= k : * a # r, A 
r N r : /t[p/A] T |= p : A 
Y \=p,r : (A, a: k) 

r,At=<^ok c#r,A 

r ^ 7 : 4>\p/A] y \=p ■ a 

r |= p, . co : (A, c: 0) 
A.6 Telescope reduction 



It2_const 



It2_consg 



— — / 



r |= 0 - 
t t' r 



- RNIL 

0 

p ~* p' 



r |= p,r p', r ' 



RCons 



B. Regularity 

These typing judgements are designed to satisfy the following 
generation properties that ensure that the subcomponents of each 
judgement are valid. 

Lemma B.l (Regularity /Generation). 

1. IfY ht y r : k then Y hy /t : * and hwf F. 

2. IfY ht m e : r then Y hy r : * a/id h«f T. 

J. //T ho 7 : ai ~ cr 2 ffeen T h pr o\ ~ a 2 o/c a/id hrf T. 

Proof. The proof of this lemma is a straightforward induction on 
typing derivations, appealing to substitution Lemma C.4. □ 



LC_TY 



LC_Co 



T he (A, a: /t) *™» a: K A (01, a 2 , c)) 

r he A *™» * ci # r, A c 2 # r, A 

Thrc (A, c:<j>) (*, c:0 A (ci,c 2 )) 



LC_CoFresh 



We can view the fresh bindings of a lifting context as a typing 
context: 

Definition C.l (Single flattening). The operation turns a lifting 
context into a typing context. 

1. For each a: k A (01, o 2 , c) G the context $ 3 includes the 
binding Oj\ ^(/t). 

2. For each c: 4> A (ci, c 2 ), the context includes the binding 

Definition C.2 (Flattening). The operation * tor«.s' a lifting context 
into a typing context. 

1. For each a: k A (01, a 2 , c) G f/ie context ^ includes the 
bindings 01: ^i(/t), 02: ^2(/t), c: 01 ~ 02. 

2. For eac/i c: 0 A (ci, c 2 ), f/ie context includes the bindings 
ci:*i(0), c 2 :*2(0). 

Lemma C.3 (Lifting context domains). If Y he A *™» f/ien f/ie 
domain of A equals the set of variables mapped in *]/. 

Proof. Straightforward induction on the derivation of Y hr c A <*~* 

*. " □ 

Lemma C.4 (Lifting context substitution). Suppose Y hf c A «™» 



1. IfT, A, T' ht y r : k f/ien F, tfj(r') hy *^(r) : *j(/t) 

2. //r, A, T' h pr 0 o/c then F, Vj, ^ (V) h pr ^(0) o/c 

j. //r, a, r' h co 7 : 0 r, , (r') h co ( 7 ) : (0) 

4. IfT, A, r' he A' «™» *' then 

r,* J -,* J -(r') he *,-(A')^ *,-(*') 

5. //r,A,r' htei p <= A' far.i'j^jfr') h tel *,(p) 

*i(A') 

6. //hvf r, a, r', then h wf r, *,(r') 



Proof. We proceed by mutual induction. 

There are many cases to consider. We consider the interesting 
ones here: 



Case K_Var: We know T, A, r' h y w : k, and by inversion, hvf 
r, A, r' and w. k G T, A, T'. Wemust show T, *j , *j (T') h ty 
*iW : 

We have two cases: 

™ G rfomT: Because w ^ domA, tyj(w) = w. Furthermore, 
because k appears in r, A, T' before any element in A 
is declared, we know that k cannot refer to any variable 
declared in A. Therefore, ^(k) — n. By the induction 
hypothesis, \- wf T, 4>j, tyj(T'), and we can use rule K_VAR 
to get r, *j ■ , *j (T') hty w : k as desired. 

w G domA: By Lemma C.3, a mapping u:u 4 (ti,T2,7) 
must exist in \&. Here, we have two further cases, depending 
on the nature of the mapping: 

i — ^! Inverting r he A m f eventually gives us T h y 
^j(w) : ^j(k) (from rule LC_Ty). Weakening then 
gives us T, *j , (T') h y *j ( w) : * 3 (k) as desired. 

A: By the definition of w: G *j. By the 

induction hypothesis, we can derive hvf T, ^ , *j (F'). 
Then, we apply rule K_VAR to get T, *j(r') h ty 
^j(ui) : Vl>j(fi:) as desired. 

w; G domT': Because w ^ domA, ^j(w) = w;. Further- 
more, we know w: k G T' and therefore w: *j (k) G 
*, (T'). The induction hypothesis gives us hvf T, ^ , *j (T') 
and we can use rule K_VAR to derive F, Vj, *j(r') h y 
^ (w) : as desired. 

™ ^ dom A: 

CaseK_ALLC: We know T, A,T' h ty Vcfr : *, and by 
inversion, T, A, T' , c: 0 h y r : * and F, A, T' h pr 0 ok. We 
must show T, *j, *j(r') hy V c: #,(0). *j(r) : *. 
The induction hypothesis gives us F, tyj, tyj(T'), c: ^(0) hy 
*j(t) : * and T, *j, (T') h pr 4^(0) ok. Thus, by rule 
K_ALLC, T, *j(r') h ty V c: #,(0). *j(t) : * and we are 
done. 

Case CT AllC: We know 



and by inversion 

T, A, r' ho r]i : (Ji ~ o[ 

T, A, r' h:o T]2 ■ 0~ 2 ~ (7 2 

01 = (71 ~ (72 

02 = 0"l ~ C"2 

ci # |7l 

C2 # | 7 | 

T, A, T', a: 0i, c 2 : 02 ho 7 : r i ~ r 2 
T, A,T' h y Vci:0i.ti : * 
r,A,T' hy Vc 2 :02.t 2 : * 
We wish to show 

r,^,* 3 (r') r-v w „ lWw)) (ft,ca).tfi(7) : 

(Vci:* :) (0 1 ).* J (ri)) ~ (V C2 :^(02).* J (r 2 )). 
To use rule CT_AllC, we need to show 

r, , (r') h co (771) : (ai) ~ (<ri) (i) 

r, , (r') h co tf 3 faa ) : (a 2 ) ~ (a 2 ) (2) 

d#|*i(7)l 0) 
C2# |*i(7)| (4) 

r,* 3 ,*,(r'), ci:*,(0i), 02:^(02) h co 

*i(7):*ifa)~*i(74) ^ 

^^.^(r'Jh^d:^^).*,^): * (6) 

r,^,^(r')h t yVc2:* 3 (02).* J (r 2 ) : * (7) 

We know (1), (2), (5), (6), and (7) by the induction hypothesis. 
We can derive (3) and (4) by noting that \Pj (•) and | • | commute 
with each other and that ci , C2 do not appear in Therefore, if 
ci # | 7 |, then ci # |*j(7)| and likewise for C2. Now, we can 
apply CT_AllC and we are done. 
Case CT_Axiom: We know T, A,T' h co Cp : n[p/A'] ~ 
r 2 [p/A'], and by inversion, C: VA'.(n ~ r 2 ) G T, A, T' 
and T, A, F' hei p A'. We must show 

r,* 3 ,*,(r') h co *,(Cp) : ^(nlp/A'] ~ r 2 [p/A']) 

or, equivalently, 

*i(n)[*i(p)/*i(A')] ~ *,(r 2 )[* J (p)/* J (A')] 
To use CT_AxiOM to prove this fact, we need, in turn 

C:V* j (A').(*i(Ti)~* J -(7s)) G r,^,*^') 

r.^-.^-cr'jrw (A') 

The induction hypothesis gives us the second fact above. 
By construction, a lifting context cannot map an axiom variable 
C. Thus, appealing to Lemma C.3, we know that C $ dom A. 
We then have two cases: 

C G domF: Because C is well-formed in F, the type of C 
cannot mention any variables in A. Thus, ^ (A') = A', 
*j( r i) = r i and *i( r 2) — r 2- Then, we can conclude that 
C: V A', (n ~ r 2 ) G T and we are done. 

C G ciom r': In this case, we can conclude that 

C:V* J -(A').(*i(n)~* j (7s)) G *,(r') 
and we are done. 



r, A,r' h co V( t)li?)2 )(ci, c 2 ). 7 : (V cr. 0i. n) ~ (V c 2 : 0 2 . r 2 ) 



□ 



We will need the following lemmas to prove the lifting lemma: 

Lemma C.5 (Lifting context coercions). IfY he A *~* \& and * 

? 

contains the mapping a: k M> (tl, T2, 7), fen T, # ho 7 : Ti ~ 
r 2 . 

Proo/ Straightforward induction on T he A <™> $. □ 
Lemma C.6 (Weakened lifting context substitution). Suppose Y he 

1. IfY, A h y t : k fen T, * hy *j (r) : * 3 (k) 

2. 7/r, A h co 7 : 0 fen T, * h co #,(7) : #, -(0) 
J. 7/r, A he A' *™» *' fen T, * hr c *j(A') *™> 

4. IfY, A htei P <= A' fen T, * htei (ft) <= (A') 

(This lemma is the same as Lemma C.4, except the j subscripts in 
the conclusion contexts are removed.) 

Proof. Immediate from Lemma C.4 and weakening, noting that any 
difference between 4>j and * are guaranteed to be fresh bindings. 

□ 

Lemma C.7 (Erased lifted coercions). Let \& contain the mapping 
c: (f) A (ci,c 2 ). IfY he A *™» * and Y, A hy T : k, fen 
ci # |*(t)| a«rfc 2 # |*(r)|. 

Proof. We proceed by induction on the typing derivation for r. 

Cases K.StarInStar and K_Arrow: Trivial. 
Case K Var: t = w, and we know hvf Y, A and w: k G T, A. 
Here we have two cases: 

w G dom A: We know w is a type variable, so tn / c. Thus, 
w appears either after or before c in If w appears after 
c, then, by the fact that all mappings with M> precede all 
mappings with \-¥ in \P, #(u>) is some fresh variable c', 
and thus ci # |#(w)| and c 2 # |$(iw)| as desired. Going 
forward, we can assume w occurs before c in \P. Now, 
the mapping from w may be built with 1— > or 1— K We have 
already handled the latter case, so going forward, we can 
assume that the mapping is built with i-k = 7 for 

some 7. However, this 7 is built from components all of 
which are out of scope of c, ci, and C2. Thus, neither ci 
nor C2 appear in 7 and thus do not appear in 7j. Thus, 
ci # l^( w )l an d c 2 # |#(w)| as desired. 

w £ dom A: In this case Sfr(w) = (w). Because the spaces of 
type variables and coercion variables are distinct, we know 
that w =fc ci and w / C2, as desired. 
Case K App: r = n r 2 , and we know Y, A h y Ti : ki — > k 2 

and T, A h ty t 2 : «i. Here, *(n r 2 ) = *(ti)*(t 2 ). 

The induction hypothesis tells us that ci , C2 do not appear in 

|*(ti)|, |^(r 2 )|. Since I71 72I = |7i| 1 72 |, the desired result 

follows directly from this result. 
Case K_lNST: Analogous to K_APP. 
Case K_CApp: t = tl 71, and we know 

T, A hy n : V c: <f). K 

Y, A h co 71 : <t> 

We have *(n 71) = *(n)(*i(7i), #2(71)). The induction 
hypothesis tells us that ci, C2 do not appear in |*(n)|. By the 
definition of I ■ |, |#(ti7i)| = |*(n)|(«co, •»). Thus, ci, c 2 
do not appear in |*(ri 71 )| as desired. 
Case K_AllT: t = ¥o:k. t', and we know Y, A, a: k hy 
t' : * and T, A hy k : *. Letting *' = a: k A 
(01,02, c) (for fresh 01, 02, c), we have |$(Vo:K.r')| = 



|V* w (oi,o 2 ,c).#'(t')I = V| w((() |(oi, aa ,c).|*'(T')|. The 
induction hypothesis tells us that ci, C2 do not appear in |^(/t)| 
and ^'(t')!, so we are done. 
Case K_AllC: Analogous to K_AllT. 

CaseK.CAST: t = r'>jjandweknowr, A hy r' : m,Y,A\- C o 
r) : Ki ~ K2, and T, A hy ^2 : *. We have #(r' > r))\ = 
|*(t')>*i(»?) ~*2(??)! = |sym((sym*(r'))>* 2 {v))> 
^1(77)1 = sym (sym |\P(t')|). The induction hypothesis tells 
us that a, c 2 do not appear in |$(t')|, so we are done. 

□ 

Proof of Lemma 5.3 (Lifting): If Y he A w * and Y, A h ty 
r : k, then 

r,*h co *(r) : *i(t)~* 2 (t) 
Ptoo/ We proceed by induction on the typing derivation for t. 

Case K.StarInStar: Trivial: Y, * h co (*) : * ~ *. 
Case K_Arrow: Trivial: Y, * h co ((-»■)> : (-»•) ~ (-»•). 
Case K_Var: t = w, and we know hvf Y, A and w: k G T, A. 
Here we have two cases: 

w G dom A: By the definition of A, w must be a type variable 

o. Using Lemma C.3, there must exist a mapping a: k m> 
(tl, T2, 7) in \&. Then, we know ty(w) — 7, ^i(w) = ti, 
and * 2 (iw) = r 2 . By Lemma C.5, we can get T, *1> ho 7 : 
ti ~ r 2 , and thus T, * h co : *i(ty) ~ * 2 (w) as 

desired. 

™ ^ dom A: Trivial: T, * ho (w) : w ~ w. 
Case K_App: r = n T2, and we know T, A h y ti : ki — > K2 
and T, A hy r 2 : m. *(n r 2 ) = *(r 2 ). The induction 

hypothesis gives us 

T,* ho *(n) : *i(n) ~ * 2 (n) 

r,*ho*(r 2 ) : *i(t 2 ) ~ * 2 (r 2 ). 

We now wish to use rule CT_APP, but we need to know 

T,* h y *i(r 1 )*i(r 2 ) : a! 

T,* h y * 2 (n) * 2 (r 2 ) : cr 2 

for some types cti and (72. Lemma C.6 applied to the types of 
ti and T2, along with straightforward typing rule applications, 
gives us exactly these facts. Thus, 

r, * h co *(ri)*(r 2 ) : *i(n) *i(r 2 ) ~ * 2 (n) * 2 (r 2 ) 

or 

T, * ho #(ti r 2 ) : *i(ti r 2 ) ~ * 2 (n r 2 ) 
as desired. 

Case K_lNST: t = ti r 2 , and we know T, A hy n : V a: m. k 2 
and F, A h y T2 : Ki. This case then proceeds identically to the 
previous case. 

Case K_CApp: t = Ti 71, and we know Y, A hy Ti : V c: 0. k 
and T, A h co 71 : 4>. *(n 71) = *(ti)(*i(7i),* 2 (7i))- 
The induction hypothesis gives us 

r,*ho*(ri) : *i(n) ~ * 2 (n). 

We now wish to use rule CTXApp, but we need to know 

r,Ah ty *i(ri)*i( 7 i) : k 
r,Ah ty # 2 (ti) * 2 (7i) : «' 



for some types k and k'. Lemma C.6 applied to the types of 
n and 71, along with straightforward typing rule applications, 
gives us exactly these facts. Thus, 

r, * h co *(n7i) : *i(n)*i(7i) ~ # 2 (n ) # 2 (71 ) 

or 

r, * h co *(n 7 i) : *i(ti7i) ~ * 2 (ti7i) 
as desired. 

Case K_AllT: t = V a: k. t' , and we know T, A, a: k h y t' : * 
and T, A htj k : *. We can use LC.TyFresh to derive 
T h" c A, a: k *™» Vl/, a: k A (01, a 2 , c) for fresh 01, a 2 , c. 
Write #' for this extended lifting context. 
We wish to show 

I\# h co *(Vo:k.t') : *i(Va: K .r')~*2(Va:K.r') 

or, equivalently, 

r,* h co V* (K) (a 1 ,a 2 ,c).*'(r') : 

V ai: *i(k). *i(r') ~ V a 2 : # 2 («). * 2 (r') 

By the induction hypothesis, we have 

T,*h co *( K ) : *i(k)~*2(k) 

r,*'h co *'( r ') : *i( T ')~*a(T') 

We wish to use CT_AllT. The first two premises are already 
satisfied, noting that contains the extra bindings for the 
second premise. We must show 

I\*rfrVa, ■:*,■(«)■*, (O : * 

This fact comes directly from the use of Lemma C.6 applied to 
the type of V a: k. t' . 

Thus, we can apply CT_AllT, and we are done. 
CaseK_ALLC: r = V c: <j). r', and we know T, A, c: 0 h y r' : * 
and T, A h pr <j> ok. We can use LC.CoFRESH to derive T he 
A, c: <f> <™» c: 0 A (ci, c 2 ) for fresh ci, c 2 . Write #' for 
this extended lifting context, and let 0 = <j\ ~ cr 2 . 
We wish to show 

r, * h co *(V c: t') : *i(Vc:0.r') ~ * 2 (V c: </>. r') 

or, equivalently, 

r, * ho v 

(*(<ti),*(<t 2 ))( c 1' c 2 ).*'(t') : 
Vci:*i(cTi)~*i(cT 2 ).*i(r')~ 

V c 2 : * 2 (<Tl) ~ #2(0-2). #2 CO 
We use inversion on T, A h pr o\ ~ o 2 ok to get 

T, A hy O"! : Kl 

T, A h ty ct 2 : K 2 
By the induction hypothesis, we have 

r,* h 0 #(0-1) : #i(cxi) ~ # 2 (<7i) 

r,#hco#(cT2) : #l(o-l) ~ # 2 (CT2) 

r,#'h co #'(r') : #' 1 (r')~# 2 (r') 

We wish to use CT_AllC. The first, second, third, fourth, 
and seventh premises are already satisfied. The fifth and sixth 
premises are ci # |#'(r')| and c 2 # |#'(r')|, respectively. 
We use Lemma C.7 to get these conditions. Now, it remains 
only to show 

r.^hyVc, :#,(0).#;(r') : * 

This fact comes directly from the use of Lemma C.6 applied to 
the type of V c: <f>. r' . 



Thus, we can apply CT_AllC, and we are done. 
CaseK.CAST: r = r' > 77, and we know T, A h y t' : ki, 
r, A ho r\ ■ Ki ~ k 2 , and T, A h y k 2 : *. We wish to 
show 

T, # h co #(r' > 77) : #i(r' > 77) ~ # 2 (r' > 77) 
or, equivalently, 

r, # ho sym ((sym#(r')) > # 2 (t?)) > #1(77) : 

#i(t') > #1(77) ~ # 2 (r') > #2(77). 

By the induction hypothesis, we have 

r,#ho#(r') : #i(t')~# 2 (t'). 

Using this fact with straightforward application of typing rules 
gives us the desired result. 

□ 

C.2 Metatheory for S KPush Preservation 

Having proved the lifting lemma, we still must present and prove a 
number of other lemmas before proving that the types are preserved 
in the S.KPUSH case. 

Lemma C.8 (Telescope substitution). IfT he A <~~> # and hrf A, 

then # 3 (A) = A. 

Proof. By Lemma C.3, the domain of # equals the domain of A. 
Furthermore, h„f A implies that all kinds in A (constructs to the 
right of a colon) are well-scoped — that is, no variable is mentioned 
before it is declared. Because the #j (A) operation is defined only 
to substitute in kinds and to not substitute a variable after it is 
locally bound, it is impossible for the substitution to change A. 
Thus, #j (A) = A, as desired. □ 

Lemma C.9 (#^- -consistency). // F he A <~+ #, then V h te | 
#j (dom A) <= A. 

Proof. We wish to use clause 5 of the lifting context substitution 
lemma (Lemma C.4), with p — dom A and A' = A. We must 
show T, A hei dom A <= A. This is true by straightforward 
induction on the length of A. Then, we apply Lemma C.4 to get 
T hei #j (dom A) ■<= #j ( A) . By Lemma C.8, this can be rewritten 
as T hei #3 (dom A) A, as desired. □ 

Lemma C.10 (Lifting context extension consistency). If T he 
Ai <~* #, h wf r,Ai,A 2 , T he, p 2 <= #i(A 2 ), and #' = 
extend(#;p 2 ; A 2 ), then V he Ai, A 2 *™» #'. 

Proof. We proceed by induction on the derivation of Y hei p 2 ^ 
#i(A 2 ). 

• Case p 2 = 0; A 2 = 0: In this case #' = #, and thus we must 
show T he Ai <~-» #, which we know by assumption. 

• Case p 2 = p' 2: t; A 2 = A 2 , a: n: 

The inductive hypothesis is: if h,f T, Ai,A 2 , T hei P 2 <= 
#i(A' 2 ), and*" = extend(#; p' 2 ; A' 2 ), then T he Ai, A' 2 +~ » 
We must show V he Ai, A' 2 , a: n *™» where #' = 
extend(\l>; p 2 , r; A' 2 , a: Hi). 

By the definition of extend, we know we will have to use rule 
LC_Ty. It is easy to see from the definition of extend that is 
#" with an additional mapping from a. Thus, Y he Ai , A' 2 <~~> 
#" fulfills the first premise of LC_Ty. To use LC_Ty, we must 
show the following: 



1. r h ty r : *!'(«)_ 

We know r htei P2 > r ^ ^1(^2, a: K )- Inverting gives us 
r hty r : ^ , i(/t)[p2/^'i(A2)]. Because we care only about 
the names of the variables in the substitution expression, we 
can rewrite this as F hjy r : ^i(k)[p' 2 / A' 2 ]. From the 
definition of extend, we can see that all of the substitutions 
performed by (•) that are not in \& map a domain element 
of A 2 to its corresponding p e p' 2 . Thus, we can rewrite the 
judgement above as F h ty r : (/t) as desired. 

2. T hty r >*"(«) : 

We wish to use the lifting lemma (Lemma 5.3). We know 
r hr c Ai , A' 2 *™» *". We must show F, Ai , A 2 h ty k : a 
for some a. This fact, for a = *, comes directly from 
inversion on h^f T, Ai , A' 2 , a: k. 

Now, we apply the lifting lemma to get F h co *"(/t) : 
~ *2(k). As shown in the previous case, F h y 
t : Therefore, by simple application of typing 

rules, we can derive F h y r > : ^'(k) as desired. 

3. rh C oSym((r)>$"((t)) : r ~ (r > *"(«)) 
Straightforward application of typing rules. 

• Case p 2 — p' 2 , 7; A 2 = A 2 , c: 0: 
The inductive hypothesis is the same as in the previous case. 
We must show F hr c Ai,A 2 , c: </> <™> where = 
extend^; p' 2 , 7; A' 2 , c: 0). 

By the definition of the extend operation, we know we will 
have to use rule LC_Co. It is easy to see from the definition 
of extend that is with an additional mapping from c. 
Thus, r hrc Ai , A 2 w *" fulfills the first premise of LC_Co. 
To use LC_Co, we must show the following: 

1. T h co 7 : tf'/W 

We know F h te \ p 2 ,7 <= *i(A 2 , c: <j>). Inverting gives us 
r U 7 : *i(0)[p 2 /*i(A 2 )]. Because we care only 
about the names of the variables in the substitution expres- 
sion, we can rewrite this as T h co 7 : \&i(0)[p 2 /A 2 ]. 
From the definition of extend, we can see that all of the 
substitutions performed by (•) that are not in <P map a 
domain element of A' 2 to its corresponding p £ p' 2 . Thus, 
we can rewrite the judgement above as F h co 7 : ^f"(4>), 
as desired. 

2. T h co sym (*"(<ri)) 5 7 5 *"M : #2 (*i) ~ *aVa), 
where <7> = 01 ~ tT 2 

We wish to use the lifting lemma (Lemma 5.3) twice to 
get the types of *"(<ti) and *"(<r 2 ). We know T hr c 
Ai, A 2 «™> *". We must show F, A i; A 2 Ky o~i : «i for 
some ki and T, Ai, A2 ht y cr 2 : H2 for some K2. Inversion 
on h wf T, Ai, A 2 , c: <7i ~ <7 2 gives us F, Ai, A 2 h- pr ffi ~ 
a 2 ok, and further inversion gives us F, Ai , A 2 hy <j\ : K\ 
and T, Ai, A 2 ht y cr 2 : k 2 for some k x and k 2 , exactly 
what we needed. 

Now, we apply the lifting lemma to get F h co *"(lTj) : 
~ *2 (°"»)- As shown in the previous case, T hjo 
7 : >t"(<7i) ~ it" (02). Therefore, by simple application 
of typing rules, we can derive F h co sym (\I/"((7i)) 575 
*"(<r 2 ) : * 2 '(<ti) ~ tf 2 V 2 ) as desired. 

□ 

Lemma C.ll (Telescope composition). If F he\ Pi <= Ai and 

F htei p 1; p 2 <= Ai, A 2 , thenF ht e i p 2 A 2 [p 1 /Ai]. 

Proof Sketch. By induction on the length of p 2 . □ 

Lemma C.12 (S.KPush preservation). // 
i. T htm case (if r p e > 7) of p — >• w : <r anrf 



2. case (K t p e>7) of p — > « — ^ case (if t' p' e') of p — > it, 
then 

F ht m case (if r' p' e') of p — > u : a 
Proof. By inversion we know that: 

• if:VaT7t.VA.a -> (To) 

• * = extend (context(7) ; p; A) 

• r 7 = * 2 (a) 

• p' = *2(dom A) 

• e- = e 8 >*(a 8 ) 

• T hfm e 8 : cr I [r/o] [p/A] 

• Thtm (if rpe)> 7 : T t 7 . 

• F htm if t p e : T t. 

We will have to use rule T_CASE to get the desired result. 
Because the patterns are not changing, we need only show that 
r htm if t 7 p e 7 : T T 7 . 

By convention, we have chosen the length of the list r to be the 
same as that of the list HTk in the type of if. Thus, we know that 
r hty if T 7 : VAp/a]. (ffF/a] — > T r 7 ). 

Now, we must show that F hf e i p' A[t'/o]. This can be 
rewritten as F htei ^(domA) A[r'/a]. 

We know from Lemma C.10 that F he a: n, A *™» $ (using 
Lemma 5.5 to get F he oTk *™» context(7)). Lemma C.9 then 
gives us T htei $2(0, dom A) •<= aTTc, A. Invoking Lemma C.l 1 
gives us T htei *2(dom A) A[r'/a] as desired. 

We have now shown that F h, if V'p' : ^2(0=) -»■ T r 7 . 
We need to show that T hf m e' : *&2(o"0' or equivalently, 
r Km e, > ^(cri) : 4*2 (o"i)- We will need the lifting lemma 
(Lemma 5.3). We have already shown F he ~ivTK,A *™» >]/; we 
must show r, "oTk, A ht y cTj : k» for some type By repeated 
inversion on the typing judgement for if, we will get F, Wk, A hy 
(J % '. K*i aS desired. Thus, the lifting lemma gives us F h co ^{oi) : 
*i(cj) ~ ^2(0-^. We note that, by construction, *i(-) maps 
a to t and dom A to p. Thus, Uj [r/a] [p/A] = V&i (cr-i). Now, 
by straightforward application of typing rules, we can see that 
T htm e, > ^(ai) : *2 (oi) as desired. 

Thus, r ht m if t' p' e' : T r' as desired, and we are done. □ 

C.3 Other preservation cases 
Lemma C.13 (S_TPUSH Preservation). If 

1. F htm (v > 7) t : a 2 [T/a 2 ]and 

2. r hco 7 : V 01: Ki. <7i ~ V a 2 : k 2 . CT2 
J. (v > 7) r — > e' w/iere 

4. e' = v(rt> 7') > 7@((r) > 7') and 

5. 7' = sym (nth 1 7), 

then T Km e' : <Ji\r 1 02]- 

Proof. By inversion of the typing derivation we know that T hf m 
v > 7 : V a 2 : k 2 . cr 2 and T ht y r : k 2 . An additional inversion 
gives us r ht m v : V ay. Ki. o~\. Therefore we can show that 

• r hco 7' : k 2 ~ Ki, by the rules for symmetry and nth and 

• r hty r > 7' : ki, by casting and 

• r htm v (t > 7') : (J 1 [r > 7'/ 01], by type application. 

Furthermore, we have 

• T hco (r) t> 7' : t t> 7' ~ r, by reflexivity and coherence and 
•T hco 7@((r) > 7') : <ri[r > 7'/<n] ~ o- 2 [r/a 2 ], by 

instantiation. 

Thus the final term has the desired type by casting. □ 



Lemma C.14 (S_CPUSH Preservation). // 

1- r htm (v > 7) 7' : a and 

2. (v > 7) 7' — > v 7" > 7@(7", 7'), where 

3. 7" = nth 1 7 5 7' 5 sym (nth 2 7) and 

4. T\- ca 7 ■ (V c: 0. t) ~ (V c': 0'. t'), 

f/;en T Km ^7" > 7@(7",7') : f. 
Proof. By inversion, we have 

• T htm w>7 : Vc'f t' 

• T hfm v : V c: 0. r 

• r h co 7' : <t>' 

• <7 = t'[77c']. 

Let 0 = <ti ~ 1T2 and 0' = 01 ~ <7 2 • We can show 

• T h co nth 1 7 : 01 ~ o-;, by CT.NthICA 

• T h co nth 2 7 : cr 2 ~ o- 2 , by CT_Nth2CA 

• r hj 0 sym (nth 2 7) : a' 2 ~ 02, by symmetry 

• T hj 0 7" : cti ~ £72, by definition of transitivity 
•rht m f7" : r [7" /c], by coercion instantiation 

• r h co 7 @( 7 ",7') : r[ 7 "/c] ~ r'[7'/c'],by CTJNSTC. 

The final term has the desired type by casting. □ 

D. Type Erasure 

We need the following small lemma before we can prove type 
erasure: 

Lemma D.l (Type erasure erases types). No type variable a or 
coercion variable c appears free in \ e\,for any expression e. 



Proof. Straightforward inspection of definition of | e\. 



□ 



Corollary D.2 (Substitution in erased expressions). For all expres- 
sions e, types r, coercions 7, and variables a and c, 

1. \e[r/a]\ = \e\ 

2. |e[ 7 / C ]| = M 

We can now present the proof for the type erasure theorem: If 
e — ► e', then either |e| = e'| or | e — ► |e'|. 

Proof. We proceed by induction on e — > e' . 

Cases S Beta, S TBeta, S CBeta, S CaseMatch: The erased 
expression steps by the same rule as the unerased expression, 
appealing to Corollary D.2 in the S_TBETA and SXBETA 
cases. 

Cases S EApp, S TApp, S CApp, S Case: We appeal to the 
induction hypothesis. If | e = e' | , we are done. If J e | — > e' | , 
then we use the same stepping rule as the unerased expression 
used. 

Cases S_PUSH, S.TPush, S.CPUSH, S_Comb: Straightforward 

application of the definition of erasure yields | e = \e'\. 
Case S.Coerce: 

o S. «' 

SXOERCE 



e > 7 



e' > 7 



By the definition of erasure, e > 7I = |e| and |e' > 7 — \e'\. 
By the induction hypothesis, either |e| = e'j or |e| — > \e'\. 
In either case, we are done. 



Case S KPush: 

K:VaTK.VA.a -> (To) G V 

^ = extend (context^) ; p; A) 

t 7 = * 2 (a) 

p' = * 2 (dom A) 

for each e l e e, 

el = e, > *(<Ti) 



case ((K t p e) > 7) of p 
case (K t' p' e') of p~^ 



S_KPUSH 



and 



Here, e = case ((K t p e) > 7) of jT 
case (K r' p' e') of p — > u. Thus, by the definition of 
erasure, |e| 

case (K • |e'|) of p — > |u| 
show only that |e| = |e'|. From the definition of S-KPUSH, 
el = e, > * (f7j ) and thus e ■ | = | a \ as desired. 



case (K • |e|) of p — > \u\ and \e'\ = 
. To show that e | = e' | , we must 



□ 



E. Metatheory for Consistency 

In this section, we show that good contexts are consistent contexts 
following the plan laid out in Section 6. Recall the conditions of a 
good context: 

We have Good T when the following conditions hold: 

1. All coercion assumptions and axioms in T are of the form 
C: V A. (F t ~ t') or of the form c: a\ ~ 0,2- In the first form, 
the arguments to the type function must behave like patterns: for 
all p, every r, 6 r and every t- such that F \= n [p/A] ~* r[, 
there exists p' such that r[ = Tj[p'/A] and T \ — £7 m °~m ^r 
each £7 m G p and G p'. 

2. Axioms and coercion assumptions don't overlap. For each F r, 
there exists at most one prefix rT of r such that there exist C 
and p where C: V A. F Wo ~ <7i G T and tT = £7 0 [p/A]. 
These C and p are unique for every matching F rT. 

3. For each a, there is at most one assumption of the form c: a ~ 

a' or c: a' ~ a, and a 7^ a'. 

4. Axioms equate types of the same kind. For each C: VA.(Ff~ 
t') in r, the kinds of each side must equal: for some ft, 
r, A |= F t : it and T, A |= r' : k and that kind 
must not mention bindings in the telescope, T |= k : *. 

Showing that these conditions ensure that the context cannot 
prove two value types equal requires a number of auxiliary lemmas. 

Lemma E.l (No free coercion variables in erased types). IfT hfy 

r : k, then c#|r|. 

Proof. Proof is by inspection of the erasure function. All coercions 
are removed from types. □ 

Proof of Lemma 6.5 (Erasure is type preserving) If a judgement 
holds in the explicit system, the judgement with coercions erased 
throughout the context, types and coercions is derivable in the 
implicit system. 

1. If h wf Tthen |= |T|. 

2. If T hfy r : Kthen |T| h^ |r| : 

3. If T h pr </> ok then |T| |= ok. 

4. Ifrh co7 : 0then|r| |= | 7 | : \</>\. 

5. IfThfe, p^= Athen|r| |= \p\ : |A|. 

Proof. By simultaneous induction on the length of the explicit 
typing derivation. We present a few representative cases. 



K_CAST 



Case K CAST: Given rule: 

r hty T '. K\ Y h; 0 r\ : Ki ~ k 2 Y hjy K 2 : 
T ht y r > jy : K 2 

By induction, we have \Y\ |= |r| : and |T| |= |r/| : 

|ki| ~ |k 2 | and |T| |= \k 2 \ : * | . By the rule ITXAST, we 
have |T| |= |r| : k 2 |. Finally, by definition of erasure, we 
have |t > ij\ = |rj, and we are done. 
Case K_CApp: Given rule: 



T2 a proper prefix of n, then 02 

Proof. We invert Y \= Ft\ 
p such that C: VA.(Ff 



F t' 2 for some types t' 2 with 



Y hty n : V c: 0. K T hj 0 71 
T ht y n 71 : k[7i/c] 



K_CApp 



By induction and definition of erasure, we have |T| |= |n| : 
Vc: \c/>\. \k\, and |T| |= -71 : |</>|. Hence, by rule ITXAPP, 
wehave |T| |= |ri| » C o : \k\, and by erasure |n 71 1 = n » co . 
Finally, we have |«[-y/c]| = |«|, as the erasure operation erases 
all coercions within k. 
Case CT Coh: Given rule: 



r h- co 7 : n ~ t 2 r Ky n > 7' 

r h co 7 > v 



CT_COH 



n > 7 ~ T2 

By induction and erasure, we have |r I j= I7 : ~ l^l- 
But also by erasure, we have 7t>7'| — I7I and |ti> 7 ' ~ r 2 = 
|ti I ~ I r 2 1 , so we are done. 
Case CT.CApp: Given rule: 

r ho 71 : r i ~ r i 

r hty Ti 7 2 : k r hty r{ 7 2 : K 1 



Y ho 71 (72 , 7 2 ) : n 72 ~ t[ 7 2 



CTXAPP 



By induction and definition of erasure, we have |T| |= |ti | » co : 
|«|,|r| |= |r{|. co : |/t'|,andjr| |= | 7 | : |n| ~ \t[\. Hence, 
byrulelCTXAPP, wehave|r| j= )7|(» co ,» co ) : |n|» co ~ 
I r{ I » co , and we are done by erasure. 
Case CT_AllC: Given rule: 

Y ho 771 : £7i ~ ffi f/>i = (7i ~ ct 2 
r hj 0 ?7 2 : cr 2 ~ ct 2 f/> 2 = (7i ~ cr 2 

a#|7l c 2 #| 7 | 

T, ci: 0i, c 2 : 0 2 hj 0 7 : n ~ r 2 

T hty V ci: 0i. n : * r ht y V c 2 : <f> 2 . r 2 : * ^ 
rh- co V (l)ljI72 )(ci, c 2 ).7 : (Vci:0i.Ti) ~ (V c 2 : c/> 2 . t 2 ) 

By induction and definition of erasure, we have 

T| |= 1 771 1 : cti| ~ \a[\, 
|r| |= \r, 2 \ : \a 2 \ ~ |(7 2 |, 

l^il = kil~H, 

Ifcl = K| ~ \a' 2 \, 

\Y\, ci:j0i|, c 2 :|0 2 | |= | 7 | : |n| ~ |r 2 |, 
|r| |=Vci:|0i|.|ti| : *, and 
|r| |=Vc 2 :|0 2 |.|r 2 | : *. 
Furthermore, the original rule restricted ci and c 2 from 
appearing in | 7 |. Hence by, ICT_AllC, we have |Fj |= 
V (kl.k|)( Cl ' C2 )-W : (Vci:|0i|.|n|) ~ (V<s:|Mhl) 
and we are done by erasure. 

□ 

Lemma E.2 (Application). 7/T |= tri 01 and Y \= a 2 cr 2 

r/zen T |= <ti a 2 a[ a' 2 . 

Proof. Let n be a join point of (7i, o~[, and r 2 a join point for 
cr 2 ,(T 2 . By repeatedly applying rule TS_APP and reflexivity of 
rewriting, we find that t\ r 2 is a join point for ai ct 2 and a[ a' 2 . □ 

Lemma E.3 (Type function preservation). If Good r, Y \= 
FTT ~» ai by TS_Red, and Y \= FT2 ~> 02 with the list 



<ti to see that there exist C and 
G r and ri = r[p/A]. By the 
definition of Good Y, we see that there must be only one prefix of 
tT such that we can find an applicable axiom. Thus, rule TS-RED 
will not be applicable for F applied to any prefix of Ti of length 
shorter than that of Ti. 

We proceed by induction on the length of the list T2. 

Base case: The list ¥2 is empty, and thus we have Y \= F ~» u 2 . 
We must show that er 2 = F. Because the empty list is a prefix 
of ri, we know that TS_RED cannot apply. Thus, the reduction 
must be by TS_REFL and we are done. 

Inductive case: The list is Tf , r 4 , and we have r |= F r 4 ~* 
02- Because T3, T4 is a prefix of tT, the rule TS_RED does 
not apply. Only rules TS_REFL and TS_APP may apply. If 
we have used TS_REFL, we are done. Otherwise, we know 
r |= Ft^ ~-> cr 3 and Y \— T4 ~+ 04, where o 2 = a 3 04. By 
induction, we know that <t 3 must be F a' z where Y \= T3 a' 3 . 
Thus, cr 2 = F a' 3 a 4 where Y \— T3, T4 ~+ a' 3 , a 4, as desired. 

□ 

Lemma E.4 (Unique type function reduction). If Good r, Y \= 
F t ~» (7i by TS_RED and Y |= F f ~> a 2 by TS_APP, then 
02 = F t' where Y \= f r'. 

Proof. Since r |= F f u 2 by TS_APP, we must have r = Ti, r 2 
and (72 = (73 £74, with r j= FtT ~^ £73 and T |= r 2 £74. 
By Lemma E.3, we know that £73 must have the form F o' z where 
T |= ri £73. We thus have the desired result. □ 

Lemma E.5 (Single Step Substitution). If Y |= r ~» r', a weZ/- 
formedand a notfree in Y, then Y j= <r[r/a] ^* a[r' / a]. 

Proof. By induction on a. For instance, if a = V c: cti ~ a 2 . a\ 
by induction, 

T |= a'[r/a] ~+ a'\f /a], 

ALLfihd also 

T \= Oi[r/a] ~* <7i[r' '/ a]. 
Thus, by rule TS_AllC, we conclude 

T |= (V c: £7i ~ a 2 . o')[t I a] ~* (V c: (7i ~ a 2 . a')[r' /a]. 

The other cases are similar. □ 

Here, we prove completeness of the rewrite reduction with re- 
spect to the coercion relation. The two key lemmas of the complete- 
ness proof are that joinability is preserved under substitution, and a 
local diamond property of rewriting. 

Lemma E.6 (Local diamond property). If Good Y,Y \= a ~* a\, 

and Y \= a ~» cr 2 then there exists £73 such that Y \= o\ ~* £73 and 

Y |= £7 2 ~> £73. 

Proof. Induction on lengths of the two step derivations with a case 
analysis on the last rule used in each. 

The overlapping cases are TS_REFL and anything else, 
TS_APP-TS_RED (and symmetric), and all instances with the same 
final rule on both sides. The reflexivity overlaps are trivial. All 
other pairs of rules apply to types with different head forms. Of the 
same-same overlaps, most follow by induction. (We demonstrate 
an example of this pattern with case TS_App-TS_App below.) The 
exception is TS_Red-TS_Red and TS_VarRed-TS_VarRed 
which are both deterministic. Below, we complete the proof with 
the TS_APP-TS_RED case. 



Case TS App-TS App Concretely, we have a type r o with re- 
ductions: 

i |= r o ~> r o , 1 |= r a ~» r o 

Now, we can deduce: 

r |= o a' , Y \— a a" 

So by induction, we can find cr'" that is a common reduct. We 
also know 

r |= T T , Y \— T t" 

So, also by induction, we can find t'" that is a common reduct 
of the two. Hence, by TS_TAPP, 

r| / / /// /// r, It II III III 

\= r cr ~* t a l \= t a t a 

Case TS_Red-TS_App Concretely, we have a type F r, with 
reductions: 



(Ft) ~»<7i, 



(Ft) 



i i 

02 o 



where the first reduction is a type function reduction. Now 
note that, since context is good, type functions axioms are 
nonoverlapping. Now say that f = To, cr. We have by inversion, 
r |= F to ~* a' 2 . By Lemma E.4, we have that a' 2 = F Tq, 
such that r |= To ~* Tq, and so that Y \= tq, a Tq, a' . We 
have that if the coercion for F is C: V A. (F rT ~ t[), then 
we have To, a = Ti"[pT/A] (for some p x , and now by the first 
condition of good contexts, we have a p[, such that 



T^a' = TT[p' 1 /A] Y^p, 



~» Pi 

In which case we have a reduction r |= F Tq a' ~* t[ [p^ j A] . 
But, by an extension of Lemma E.10 for telescopes, we have 
that 

a^r-llpl/A] r^ffi-rifl/A] 

as desired. 

Case TS_Red-TS_Red Concretely, we have a type F oT &2, 
which can also be written as F 03 cff, such that we have 
reductions: 

r |= Ferrer', r|=Fo~>o" 

But since good contexts have nonoverlapping axioms, we have 
that only one axiom applies. Hence, we are done: o' = cr". 

□ 

Lemma E.7 (Transitivity of Rewriting). // Good Y and Y \= 

o~i <T2 and Y |= <T2 03, then Y \= o\ 0-3. 

Proof. Appeal to the local diamond property. Suppose 012 is a join 
point for 01, er 2 and 023 is a join point for 0-2,0-3. By Lemma E.6, 
there is a join point 00 for 012, 023, and hence is a join point for 
01,03. □ 

Lemma E.8 (Multistep Substitution). IfY \= r r', a well- 
formed and a not free in Y, then Y \= o[r / a] <t[t' / a]. 

Proof. By induction on the length of the reduction r |= r 

t'. The base case is trivial, and the inductive step follows by 

Lemma E. 5. □ 

Lemma E.9 (Single Substitution). 7/r |= r r', and Y |= o ~* 
a', with a, a' well-formed and a not free in Y, then Y \= o[r/a] <4> 
o'[r'/a]. 

Proof. There is a join point r" of r and r', we can apply 
Lemma E.8 to the reductions Y |= r r" and T |= r' r", 
and connect two reductions with Lemma E.7. □ 



Lemma E.10 (Single Step Double Substitution). Suppose Good Y 
and Y |= o o', wiY/z a /ree in a and a' free in a 1 well-formed, 
and Y = Y' , c: a ~ a',r" or T = T', c: a' ~ a,F". 77;en 
Good (Y', T") [t/o] [t'/ a'], anrfi/(r',r")[r/a][r7a'] |= r ^ 
t 1 , then (T',Y")[T/a][T'/a'] \= o[r/a] <s> oV/a']. 

Proof. Note first that since Good T, the only axiom mentioning 
a, a' is c. Hence, Good (T', Y")[t / o\[t' / a'] is immediate. The 
rest follows by induction on the derivation of Y \= a ~-> a' . 

Case TS.Refl: Follows from Lemma E.9. 
Case TS_AllT: The rule is 

r, r' |= k ~» k' y, c: 01 ~ 02, r' ]= o ~-> o' 



r,P |=Vai:K.er~» Va 2 :/t'.cr' 



TS_ALLT 



where a x / a 2 / a / a', and r,F' = F", c': o ~ a',F"'. 
By induction, we have both (F, Y')[t / a][r' / a] |= k[t / a] 
K[r'/a'] and Y[r/ a][r' / a'}, c: 01 ~ a 2 , r'[r/o][r7o'] |= 
o[r/a] a'[T'/a']. But now, we can put these transitions 
together with rule TS_AllT: first, we have 

(r,r')[r/a][r7a'] |= 

V 01: k[t/o\. ct[t / a] V 01: k'[t'/<i']. °~\ T I a ] 

By a-renaming, the right hand side is V a 2 : k'[t' /a']. o[r/a]. 
Now, we have 

(r,r')[r/a][r7a'] |= 

V a 2 : k'[t' / a']. o[r/a] <t4> V a 2 : k'[t'/ a']. a\r' / a'] 

and we are done by Lemma E.7. 
Case TS_AllC: Almost identical to the previous case. 
Case TS_Red: Follows from Lemma E.9. 

Case TS_VarRed: If the coercion in question isn't c: a ~ a', 
then this case is trivial. Otherwise, we have by assumption that 

(Y' ,Y")[t / o\[t' / a] |= r <^> r', which is exactly what we 
need to prove. 

Case TS_App: Similar to the previous cases. By induction (sup- 
pose we are substituting cr", cr'", 

(r',r")[o'7a][o"7a'] |= T\o"la\ r'[a'"/a'] 

and 

(r',r")[o'7a][o"7a'] |= o[o"/a] ^ o'[o"7a']. 
So, by applying TS-APP, we have 

(Y',Y")[a"/a][a'"/a']^ 

T[a"/a] (a[a"/a]) <S> T[a'"/a] (o[o"/a]) 

and 

(r',r")[o'7a][o"7a']N 

T'[a'"/a] (o[o"/a]) ^ r'[o"7a'] (o'[o"7a']) 

so we are done by Lemma E.7. 
Case TS_CApp: Immediate, by induction. 



□ 



Lemma E.ll (Substitution). Suppose GoodF and Y \= a 

cr', with a, a 1 free in 0,0', and Y = Y' , c: a ~ a',r". 
Suppose also that (Y' , Y")[t/o][t' /a'] \= r r'. r/ien, 
(r',r")[r/ a] [r'/V] != o[r/a] ^ o'[r'/a']. 

Proof. Induction on the length of reduction Y |= o ^* cr'. The 
base case is trivial. The inductive step follows by Lemma E.10 and 
Lemma E.7. □ 



Corollary E.12 (Joinability substitution). Suppose Good F and 
F |= a a', with a, a' free in a, a', and F = F' , c: a ~ 
a', F". Suppose also that (V , F")[r/ a][r' / a'] \= r ^ r'. 77ien, 
(r',r")[r/a][r'/a'] |= «t[t/o] <*• a'[r'/a']. 

Proof. By induction on the number of transitions in T |= a a'. 
The base case is trivial. For the induction step, we can use the 
induction hypothesis, combined with Lemma E. 1 1 . □ 

Lemma E.13 (Joinability strengthening). // Good (T, a: k, T') 

and T, a: k, F' |= n <^> r 2 , Good (r, T') T, r' |= n <^> r 2 . 

Proof. By inspection on the rewrite relation. The rewrite relation 
does not depend on any type bindings in the context, only axioms. 

□ 

Lemma E.14 (Basic implicit substitution). 1. If F, a: Ki,F' \= 
t : K2 and r |= a : m, then r,r'[a/a] j= r[a/a] : 
k 2 [a I a]. 

2. If\= F, a: ki, T' and F j= a : Ki, then \= F, F'[a/a]. 

3. IfF, a:m,F' \= <J> ok and F (= a : ki, then r,T'[<r/a] \= 
4>[cr/a] ok. 



Proof. Straightforward mutual induction. 



□ 



Lemma E.15 (Implicit regularity/generation). IfF \— t : k, then 
F |= K : * and the height of this derivation is at most the height 
ofF ^ r : K. 

Proof. Straightforward induction, appealing to Lemma E. 14 in the 
IT.TAPP case. The base cases appeal to rules ITJStarInStar and 
IT_ARROWK. □ 

Lemma E.16 (Weakening for implicit system). If F \= r : k, 
then F, F' \— t : nfor any F' such that \= F, F', and there exists 
a derivation of F \= r : k with height at most the height of the 
derivation of F ,F' \— t : K. 



Proof. Straightforward induction. 



□ 



We need a lemma to deal with the kind 7 construct. Essentially, 
this lemma states that we don't need the kind 7 construct, as it is 
already internalized in our system. 

Lemma E.17 (Admissibility of "kind"). Suppose we have a 
derivation F j= 7 : n ~ T2, such that F \= n : K\ and 
F |= T2 : K2 andfcv(j) C domF' for some subcontextF' satis- 
fying Good T'. Then, there exists a derivation F \— r\ : k\ ~ K2 
at strictly lower height, for some rj, such that fcv (77) C dom F'. 



Proof Sketch. By induction on the derivation T |= 7 
Most cases are straightforward. We consider two here. 



Tl 



T2- 



Case ICT_TRANS: Given rule: 



r |= 71 = ri 



T2 



72 



T2 



T3 



T |= 71 9 72 : Tl 



ICT.Trans 



T3 



Note that the free coercion variables of 71 5 72 lie in a good 
context, so the same is true of 71 and 72 . Hence, by induction, 
we are able to find derivations of F |= 771 : Ki ~ K2 and 
r |= 772 : K2 ~ K3, both of height less than that of any 
premises of ICT.TRANS. Now, by ICT.TRANS, we are able to 
create a proof r |= 771 5 772 : Ki ~ K3 at height strictly less 
than that of the conclusion, and we are done. 



Case ICT_AxiOM: Given rule: 

C: VA. (n ~ r 2 ) G T F \=p : A 

, ^ ICT_AXI0M 

F^Cp : n[p/A] ~r 2 [p/A] 

Note that the free coercion variables of Cp lie in a good 
context, so the same is true of C and p. Thus, the axiom lies 
in a good subcontext. By definition of Good F' , we have that 
both sides are kind n for a closed kind. Hence, simply choosing 
77 = (k) suffices. This rj will have no free coercion variables 
(appealing to Lemma E.l), so the restriction on free coercion 
variables is vacuously satisfied. 

But, what is the height of the derivation of F |= (k) : n ~ k? 
It is one more than the height of F \— k : a, the premise of 
r |= (k) : k ~ k. This derivation F \= n : a must be 
a part of the derivation concluding in ICT_AxiOM: One of the 
premises to ICT_AxiOM is F \= p : A. That judgement, in 
turn, must eventually appeal to It2_EMPTY, which depends on 
|= T. Because C G domF, the proof of |= F must appeal to 
IV_Ax, which in turn depends on F, A \= n ~ T2 ok. This 
depends on F, A \= Ti : k. By Lemma E.15, the proof that 
T, A |= k : a (for a — *) is strictly smaller than that of 
T, A |= Ti : k. From the fact that C lies in a good context, 
we know that k must not contain variables introduced in A, so 
there exists a derivation F \— k : a and the height of this 
derivation is no larger than the height of F, A \= k : a, 
invoking Lemma E.16. Thus, the height of F \— (k) : k ~ k 
is strictly smaller than the height of the derivation concluding 
in ICT_AxiOM, as desired. 

□ 

Lemma E.18 (Nth joinability). Suppose that F \= Hp ^ Hp', 
and GoodT. Then, F \= pi p' t . 

Proof. By induction on the length of the telescopes (by inversion, 
both have the same length). The base case is trivial. For induction, 
note that Hp, Hp' must both step by TS_APP. Hence, by the form 
of that rewrite rule, say that p = p 0 ,po and p' = p' 0 ,p'o, and 
the length of the telescopes are preserved. So, F |= po <4> p' 0 . If 
we want the last element in the telescope, we are done. Otherwise, 
r |= H p () <4> H p' 0 , and we are done by induction. □ 

From these lemmas we see that joinability is complete. 
Proof of Lemma 6.7 (Completeness) Suppose that F \= 7 : 
<7i ~ cr 2 , and fcv{^) C dom F' for some subcontext F' satisfying 
Good T'. Then F |= 01 e> a 2 . 

Proof. By induction on the structure of F \= 7 : ui ~ cr 2 . 
Case ICT.CApp: We have rule: 



r |= 7 : r ~ t' 

F \— t •co : k F \— t' » c 



r |= 7 (. 



d) : T» c 



ICT_CAPP 



Note that the free coercion variables of 7(»co, «co) lie in a 
good context, so the same is true of 7. Hence, by induction, 
T \— t <^ t' . Then, by Lemma E.2, we are done. 
CaseICT_ALLC: 

r |= r/i : o~i ~ a'i <f>i = o~i ~ o~2 

r |= 772 : <72 ~ 0-' 2 (f>2 — o'i ~ a'2 

ci # 7 c 2 # 7 

T, a: 0i, c 2 : 02 |= 7 : r i ~ T 2 

r|=Vci:0i.ri : ★ r |= V C2: 02- 1"2 : ★ 

r N V (m , TO )(ci, c 2 )-7 : (Vci:0i.Ti) ~ (Vc 2 :0 2 .r 2 ) 

Note that the free coercion variables of V( 7)ljI)2 )(ci, c 2 )-7 lie 
in a good context, so the same is true of 7, 771 , and 772 . Hence, 



by induction, there is a join point o~'{ for o\ and a[, and there 
is a join point a'2 for 02 and a' 2 . Let <f> — a" ~ o- 2 '- Also by 
induction, there is a join point r for n, T2. By rule TS_AllC, 
we have that 



r |= V ci: 0i. ri V ci: (p. t 



and 



r |= v C2: <j>2 - t~2 

and hence they are joinable. 
Case ICTJnst: 

r |= 71 : (V ar- ki.ti) 
T |= 72 : ffi ~ (72 

r 1= ci : ki r 1= o"2 



Vc 2 : 



(V 02: K2-T2) 



K2 



T |= 7i@72 : n[<Ti/ai] ~ r 2 [cr 2 /a 2 ] 



ICTJnst 



Note that the free coercion variables of 7@7' lie in a good 
context, so the same is true of 7 and 7. Hence, by induction, 
r |= en 02, and T |= (V 01: K1.T1) <S> (V a 2 : k 2 . t 2 ). Now, 
by inversion on the step relation for quantified types, we find 
fhatr, c: ai ~ a2 |= Ti <4> r 2 . By substitution (Lemma E. 11), 
we have F \= n [cri/ai] T2 [0-2/02], as desired. 
Case ICTJnstC: 

T |= 7 : (V c: <ti ~ 0-2. r) ~ (V c': cri ~ <r 2 . t') 
r |= 71 : cri ~ a 2 T |= 72 : fj[ ~ <7 2 



7@(. c 



T' 



Note that the free coercion variables of 7@(» co ,» co ) lie in a 
good context, so the same is true of 7. Hence, by induction, 
T |= (Vc:<7i ~ o 2 -t) <^ (Vc:erJ ~ a' 2 . r'). Now, by 
inversion on the step relation for quantified types, we find that 
r |= r <4> r', and we are done. 

Case ICT_Refl: Trivial. 

Case ICT Sym: Trivial. 

Case ICT.TRANS: Follows from Lemma E.7. 

Case ICT_App: Follows from Lemma E.2. 

Case ICT AllT: 

T |= 77 : Ki ~ K 2 

T, 01: Ki, a 2 : K2, c: ai ~ 02 |= 7 : n ~ T2 
r|=Vai:Ki.Ti : * V \= V 02: ^2- 12 : * 

r |= V,(oi, 02, c)/y : (VoiiKi.n) ~ (Va 2 :K 2 .T 2 ) 

Note that the free coercion variables of V,,(ai, a 2 , c)-7 lie in 
a good context, so the same is true of 7 since c: a\ ~ a 2 is a 
good assumption that doesn't overlap with the previous axioms, 
as the variables 01 , a 2 are fresh. Hence, by induction, we have 
T, av Ki, 0,2: K2, c: ai ~ 02 |= n r 2 , which we can 
strengthen to T, c: ai ~ a 2 |= n r 2 , by Lemma E.13. 
Also by induction, we have r |= ki <t4> K2, which allows us to 
finish the rule by TS_ALLT. 

Case ICTJVar: Trivial, all assumptions are rewrite rules in good 
contexts. Note that c must be a good assumption in the context. 

Case ICT_AxiOM: We have the rule: 



C: VA.(n ~r 2 ) G T F\=p : A 



ICT_AXI0M 



T|= : n[p/A] ~ T2[p/A] 

We know that C lies in a good context, so we know that T\ has 
the form F t[. Thus, rule TS_RED shows that V |= n [p/A] ^ 
T 2 [p/A], so we are done, noting that TS-REFL shows that 
T |= r 2 [p/A] ~+ r 2 [p/A] as well. 
Case ICT_Nth: We have the rule: 



7 



Ht~Ht' 



T |= nth 1 7 : r t ~ r; 



ICT.NTH 



Note that the free coercion variables of nth 1 7 lie in a good 
context, so the same is true of 7. Hence, by induction, then 
Lemma E.18, we are done. 
Case ICT_Nth1TA: We have rule: 

r |= 71 : (VffliiKi.Ti) ~ (Vo 2 :K2.r 2 ) 



T |= nth 1 71 : ki 



ICT_NTHlTA 



K2 



Note that the free coercion variables of nth 1 71 lie in a good 
context, so the same is true of 71. Hence, by induction on 71, 
the two quantified types have a join point. By inversion on the 
rewrite relation, both sides must step via TS_AllT. Hence, we 
can find a join point for the kinds, and T |= m <4> k 2 as desired. 
Cases ICT NTHlCA, ICT NTH2CA: We have rules: 

r |= 7 : (Vc: Kl ~ k 2 . t) ~ (V c': «i ~ k' 2 .t') 



T |= nth 1 7 



ICT_NTHlCA 



Kl 



ICT_NTH2CA 



ICT_EXT 



r |= 7 : (Vc: Kl ~ k 2 . t) ~ (V c': «i ~ K 2 . t') 
T |= nth 2 7 : k 2 ~ 4 
Virtually identical to the previous case. 
Case ICT_Ext: We have rule: 

r |= 7 : ti ~ T2 r |= Ti : k 2 T |= r 2 : k 2 
r |= kind 7 : m ~ K2 

By the admissibility of kind 7 (Lemma E. 17) we can construct 
a derivation of V \— q : ki ~ K2 at strictly smaller height 
that proves the same equality, such that 77 has free variables in a 
good context. Then, we are done by induction. 

□ 

Lemma E.19 (Consistency). //Good |T| then Y is consistent. 

Proof. Suppose r h co 7 : £1 ~ £2- Then, we have that 
r| \~ It : ~ I £2 1- By completeness, we have that those two 
types are joinable. There is some a such that |F| |= |£i | a and 
r |= |^2 1 o~. However, by inversion on the rewriting relation, 
we see that it preserves the head forms of value types (since there 
exist no axioms for those by the first condition of Good T|). Also, 
we know that erasure preserves head forms. Thus, £1 and £ 2 (and 
a) have the same head form. □ 

F. Metatheory for Progress 

Using the consistency lemma, it is straightforward to prove 
progress. We refer the reader to previous work (Weirich et al. 2010) 
for this proof, which requires only one more case for the current 
system: 

Lemma F.l (Progress for TXONTRA). Assume S is a closed, 
consistent context. If S hm contra 7 r : r, then there exists 
some e such that contra 7 r — > e. 

Proof. By inversion on S ht m contra 7 r : r, we get that 
E hj 0 7 : Hi ~p 1 ~ H2 ~p 2 an d that Hi 7^ H2 ■ However, these facts 
exactly contradict the fact that S is consistent. Thus, our premises 
are absurd and we are done. □ 



